From: Wen Congyang <wency@cn.fujitsu.com>
To: Stefan Weil <weil@mail.berlios.de>
Cc: Corentin Chary <corentincj@iksaif.net>,
Anthony Liguori <aliguori@us.ibm.com>,
qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH] vnc: Fix heap corruption
Date: Tue, 01 Mar 2011 09:34:25 +0800 [thread overview]
Message-ID: <4D6C4D21.9060204@cn.fujitsu.com> (raw)
In-Reply-To: <1298928892-24039-1-git-send-email-weil@mail.berlios.de>
At 03/01/2011 05:34 AM, Stefan Weil Write:
> Commit bc2429b9174ac2d3c56b7fd35884b0d89ec7fb02 introduced
> a severe bug (heap corruption).
>
> bitmap_clear was called with a wrong argument
> which caused out-of-bound writes to width_mask.
>
> This bug was detected with QEMU running on windows.
> It also occurs with wine:
>
> *** stack smashing detected ***: terminated
> wine: Unhandled illegal instruction at address 0x6115c7 (thread 0009), starting debugger...
>
> The bug is not windows specific!
>
> Cc: Corentin Chary <corentincj@iksaif.net>
> Cc: Anthony Liguori <aliguori@us.ibm.com>
> Signed-off-by: Stefan Weil <weil@mail.berlios.de>
> ---
> ui/vnc.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/ui/vnc.c b/ui/vnc.c
> index af55156..89f71da 100644
> --- a/ui/vnc.c
> +++ b/ui/vnc.c
> @@ -2401,7 +2401,7 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
> */
> bitmap_set(width_mask, 0, (ds_get_width(vd->ds) / 16));
> bitmap_clear(width_mask, (ds_get_width(vd->ds) / 16),
> - VNC_DIRTY_WORDS * BITS_PER_LONG);
> + (VNC_MAX_WIDTH - ds_get_width(vd->ds)) / 16);
The third argument of bitmap_clear() is number of bits to be cleared, but we pass
the end bits to be cleared to bitmap_clear().
I think we can fix this bug like this(I can not reproduce this bug, so I do not
know whether it can fix this bug):
diff --git a/ui/vnc.c b/ui/vnc.c
index fff34af..6d54661 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -2404,7 +2404,7 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
*/
bitmap_set(width_mask, 0, (ds_get_width(vd->ds) / 16));
bitmap_clear(width_mask, (ds_get_width(vd->ds) / 16),
- VNC_DIRTY_WORDS * BITS_PER_LONG);
+ VNC_DIRTY_WORDS * BITS_PER_LONG - (ds_get_width(vd->ds) / 16));
cmp_bytes = 16 * ds_get_bytes_per_pixel(vd->ds);
guest_row = vd->guest.ds->data;
server_row = vd->server->data;
Thanks
Wen Congyang
> cmp_bytes = 16 * ds_get_bytes_per_pixel(vd->ds);
> guest_row = vd->guest.ds->data;
> server_row = vd->server->data;
next prev parent reply other threads:[~2011-03-01 1:35 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-28 21:34 [Qemu-devel] [PATCH] vnc: Fix heap corruption Stefan Weil
2011-03-01 1:34 ` Wen Congyang [this message]
2011-03-03 20:37 ` [Qemu-devel] [PATCH] vnc: Fix stack corruption and other bitmap related bugs Stefan Weil
2011-03-03 20:49 ` [Qemu-devel] " Stefan Weil
2011-03-04 9:02 ` Corentin Chary
2011-03-04 17:12 ` Stefan Weil
2011-03-05 13:02 ` Gerhard Wiesinger
2011-03-05 13:11 ` Corentin Chary
2011-03-10 23:21 ` [Qemu-devel] " Anthony Liguori
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D6C4D21.9060204@cn.fujitsu.com \
--to=wency@cn.fujitsu.com \
--cc=aliguori@us.ibm.com \
--cc=corentincj@iksaif.net \
--cc=qemu-devel@nongnu.org \
--cc=weil@mail.berlios.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.