From mboxrd@z Thu Jan 1 00:00:00 1970 From: Markus Armbruster Subject: [PATCH 2/2][PVFB][TOOLS] PVFB SDL backend chokes on bogus screen updates Date: Tue, 13 Nov 2007 17:44:30 +0100 Message-ID: <87sl3aqemp.fsf@pike.pond.sub.org> References: <871waurt8t.fsf@pike.pond.sub.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: In-Reply-To: <871waurt8t.fsf@pike.pond.sub.org> (Markus Armbruster's message of "Tue\, 13 Nov 2007 17\:43\:30 +0100") List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xensource.com Errors-To: xen-devel-bounces@lists.xensource.com To: xen-devel@lists.xensource.com List-Id: xen-devel@lists.xenproject.org Bogus screen update requests from buggy or malicous frontend make SDL crash. The VNC backend silently ignores them. Catch and log them. Signed-off-by: Markus Armbruster diff -r 837f83225153 tools/ioemu/hw/xenfb.c --- a/tools/ioemu/hw/xenfb.c Fri Nov 09 12:08:37 2007 +0000 +++ b/tools/ioemu/hw/xenfb.c Tue Nov 13 17:30:22 2007 +0100 @@ -488,12 +488,27 @@ static void xenfb_on_fb_event(struct xen rmb(); /* ensure we see ring contents up to prod */ for (cons = page->out_cons; cons != prod; cons++) { union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons); + int x, y, w, h; switch (event->type) { case XENFB_TYPE_UPDATE: - xenfb_guest_copy(xenfb, - event->update.x, event->update.y, - event->update.width, event->update.height); + x = MAX(event->update.x, 0); + y = MAX(event->update.y, 0); + w = MIN(event->update.width, xenfb->width - x); + h = MIN(event->update.height, xenfb->height - y); + if (w < 0 || h < 0) { + fprintf(stderr, "%s bogus update ignored\n", + xenfb->fb.nodename); + break; + } + if (x != event->update.x || y != event->update.y + || w != event->update.width + || h != event->update.height) { + fprintf(stderr, "%s bogus update clipped\n", + xenfb->fb.nodename); + break; + } + xenfb_guest_copy(xenfb, x, y, w, h); break; } }