From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:58988)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kraxel@redhat.com>) id 1XNGlQ-00021D-2D
	for qemu-devel@nongnu.org; Fri, 29 Aug 2014 03:38:34 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <kraxel@redhat.com>) id 1XNGlJ-0006eJ-Qw
	for qemu-devel@nongnu.org; Fri, 29 Aug 2014 03:38:27 -0400
Received: from mx1.redhat.com ([209.132.183.28]:10806)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kraxel@redhat.com>) id 1XNGlJ-0006dO-JR
	for qemu-devel@nongnu.org; Fri, 29 Aug 2014 03:38:21 -0400
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 29 Aug 2014 09:38:04 +0200
Message-Id: <1409297884-18690-1-git-send-email-kraxel@redhat.com>
Subject: [Qemu-devel] [PATCH] qxl-render: add more sanity checks
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: Gerd Hoffmann <kraxel@redhat.com>, Anthony Liguori <aliguori@amazon.com>

Damn, the dirty rectangle values are signed integers.  So the checks
added by commit 788fbf042fc6d5aaeab56757e6dad622ac5f0c21 are not good
enouth, we also have to make sure they are not negative.

[ Note: There must be something broken in spice-server so we get
  negative values in the first place.  Bug opened:
  https://bugzilla.redhat.com/show_bug.cgi?id=1135372 ]

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 ui/vnc.c | 42 ++++++++++++++++++++++--------------------
 ui/vnc.h |  1 +
 2 files changed, 23 insertions(+), 20 deletions(-)

diff --git a/ui/vnc.c b/ui/vnc.c
index f8d9b7d..b33f6b3 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -46,7 +46,8 @@ static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
 #include "vnc_keysym.h"
 #include "d3des.h"
 
-static VncDisplay *vnc_display; /* needed for info vnc */
+static QTAILQ_HEAD(, VncDisplay) vnc_displays =
+    QTAILQ_HEAD_INITIALIZER(vnc_displays);
 
 static int vnc_cursor_define(VncState *vs);
 static void vnc_release_modifiers(VncState *vs);
@@ -226,10 +227,10 @@ static const char *vnc_auth_name(VncDisplay *vd) {
     return "unknown";
 }
 
-static VncServerInfo *vnc_server_info_get(void)
+static VncServerInfo *vnc_server_info_get(VncDisplay *vd)
 {
     VncServerInfo *info;
-    VncBasicInfo *bi = vnc_basic_info_get_from_server_addr(vnc_display->lsock);
+    VncBasicInfo *bi = vnc_basic_info_get_from_server_addr(vd->lsock);
     if (!bi) {
         return NULL;
     }
@@ -237,7 +238,7 @@ static VncServerInfo *vnc_server_info_get(void)
     info = g_malloc(sizeof(*info));
     info->base = bi;
     info->has_auth = true;
-    info->auth = g_strdup(vnc_auth_name(vnc_display));
+    info->auth = g_strdup(vnc_auth_name(vd));
     return info;
 }
 
@@ -282,7 +283,7 @@ static void vnc_qmp_event(VncState *vs, QAPIEvent event)
     }
     g_assert(vs->info->base);
 
-    si = vnc_server_info_get();
+    si = vnc_server_info_get(vs->vd);
     if (!si) {
         return;
     }
@@ -348,8 +349,9 @@ static VncClientInfo *qmp_query_vnc_client(const VncState *client)
 VncInfo *qmp_query_vnc(Error **errp)
 {
     VncInfo *info = g_malloc0(sizeof(*info));
+    VncDisplay *vd = QTAILQ_FIRST(&vnc_displays);
 
-    if (vnc_display == NULL || vnc_display->display == NULL) {
+    if (vd == NULL || vd->display == NULL) {
         info->enabled = false;
     } else {
         VncClientInfoList *cur_item = NULL;
@@ -364,7 +366,7 @@ VncInfo *qmp_query_vnc(Error **errp)
         /* for compatibility with the original command */
         info->has_clients = true;
 
-        QTAILQ_FOREACH(client, &vnc_display->clients, next) {
+        QTAILQ_FOREACH(client, &vd->clients, next) {
             VncClientInfoList *cinfo = g_malloc0(sizeof(*info));
             cinfo->value = qmp_query_vnc_client(client);
 
@@ -377,11 +379,11 @@ VncInfo *qmp_query_vnc(Error **errp)
             }
         }
 
-        if (vnc_display->lsock == -1) {
+        if (vd->lsock == -1) {
             return info;
         }
 
-        if (getsockname(vnc_display->lsock, (struct sockaddr *)&sa,
+        if (getsockname(vd->lsock, (struct sockaddr *)&sa,
                         &salen) == -1) {
             error_set(errp, QERR_UNDEFINED_ERROR);
             goto out_error;
@@ -405,7 +407,7 @@ VncInfo *qmp_query_vnc(Error **errp)
         info->family = inet_netfamily(sa.ss_family);
 
         info->has_auth = true;
-        info->auth = g_strdup(vnc_auth_name(vnc_display));
+        info->auth = g_strdup(vnc_auth_name(vd));
     }
 
     return info;
@@ -853,7 +855,7 @@ static int vnc_cursor_define(VncState *vs)
 static void vnc_dpy_cursor_define(DisplayChangeListener *dcl,
                                   QEMUCursor *c)
 {
-    VncDisplay *vd = vnc_display;
+    VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
     VncState *vs;
 
     cursor_put(vd->cursor);
@@ -2944,7 +2946,7 @@ void vnc_display_init(DisplayState *ds)
 {
     VncDisplay *vs = g_malloc0(sizeof(*vs));
 
-    vnc_display = vs;
+    QTAILQ_INSERT_TAIL(&vnc_displays, vs, next);
 
     vs->lsock = -1;
 #ifdef CONFIG_VNC_WS
@@ -2974,7 +2976,7 @@ void vnc_display_init(DisplayState *ds)
 
 static void vnc_display_close(DisplayState *ds)
 {
-    VncDisplay *vs = vnc_display;
+    VncDisplay *vs = QTAILQ_FIRST(&vnc_displays);
 
     if (!vs)
         return;
@@ -3003,7 +3005,7 @@ static void vnc_display_close(DisplayState *ds)
 
 int vnc_display_password(DisplayState *ds, const char *password)
 {
-    VncDisplay *vs = vnc_display;
+    VncDisplay *vs = QTAILQ_FIRST(&vnc_displays);
 
     if (!vs) {
         return -EINVAL;
@@ -3022,7 +3024,7 @@ int vnc_display_password(DisplayState *ds, const char *password)
 
 int vnc_display_pw_expire(DisplayState *ds, time_t expires)
 {
-    VncDisplay *vs = vnc_display;
+    VncDisplay *vs = QTAILQ_FIRST(&vnc_displays);
 
     if (!vs) {
         return -EINVAL;
@@ -3034,14 +3036,14 @@ int vnc_display_pw_expire(DisplayState *ds, time_t expires)
 
 char *vnc_display_local_addr(DisplayState *ds)
 {
-    VncDisplay *vs = vnc_display;
-    
+    VncDisplay *vs = QTAILQ_FIRST(&vnc_displays);
+
     return vnc_socket_local_addr("%s:%s", vs->lsock);
 }
 
 void vnc_display_open(DisplayState *ds, const char *display, Error **errp)
 {
-    VncDisplay *vs = vnc_display;
+    VncDisplay *vs = QTAILQ_FIRST(&vnc_displays);
     const char *options;
     int password = 0;
     int reverse = 0;
@@ -3057,7 +3059,7 @@ void vnc_display_open(DisplayState *ds, const char *display, Error **errp)
 #endif
     int lock_key_sync = 1;
 
-    if (!vnc_display) {
+    if (!vs) {
         error_setg(errp, "VNC display not active");
         return;
     }
@@ -3356,7 +3358,7 @@ fail:
 
 void vnc_display_add_client(DisplayState *ds, int csock, bool skipauth)
 {
-    VncDisplay *vs = vnc_display;
+    VncDisplay *vs = QTAILQ_FIRST(&vnc_displays);
 
     vnc_connect(vs, csock, skipauth, false);
 }
diff --git a/ui/vnc.h b/ui/vnc.h
index 334de9d..a7cdcea 100644
--- a/ui/vnc.h
+++ b/ui/vnc.h
@@ -184,6 +184,7 @@ struct VncDisplay
 #ifdef CONFIG_VNC_SASL
     VncDisplaySASL sasl;
 #endif
+    QTAILQ_ENTRY(VncDisplay) next;
 };
 
 typedef struct VncTight {
-- 
1.8.3.1