* [Qemu-devel] [PATCH] vnc: fix overflow in vnc_update_stats
@ 2017-01-24 9:00 Gerd Hoffmann
2017-01-24 9:09 ` Marc-André Lureau
0 siblings, 1 reply; 2+ messages in thread
From: Gerd Hoffmann @ 2017-01-24 9:00 UTC (permalink / raw)
To: qemu-devel; +Cc: Gerd Hoffmann, Marc-André Lureau
Commit "bea60dd ui/vnc: fix potential memory corruption issues" is
incomplete. vnc_update_stats must calculate width and height the same
way vnc_refresh_server_surface does it, to make sure we don't use width
and height values larger than the qemu vnc server can handle.
Commit "e22492d ui/vnc: disable adaptive update calculations if not
needed" masks the issue in the default configuration. It triggers only
in case the "lossy" option is set to "on" (default is "off").
Cc: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
ui/vnc.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/ui/vnc.c b/ui/vnc.c
index 29aa9c4..e7c029d 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -2756,8 +2756,10 @@ static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
static int vnc_update_stats(VncDisplay *vd, struct timeval * tv)
{
- int width = pixman_image_get_width(vd->guest.fb);
- int height = pixman_image_get_height(vd->guest.fb);
+ int width = MIN(pixman_image_get_width(vd->guest.fb),
+ pixman_image_get_width(vd->server));
+ int height = MIN(pixman_image_get_height(vd->guest.fb),
+ pixman_image_get_height(vd->server));
int x, y;
struct timeval res;
int has_dirty = 0;
--
1.8.3.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [Qemu-devel] [PATCH] vnc: fix overflow in vnc_update_stats
2017-01-24 9:00 [Qemu-devel] [PATCH] vnc: fix overflow in vnc_update_stats Gerd Hoffmann
@ 2017-01-24 9:09 ` Marc-André Lureau
0 siblings, 0 replies; 2+ messages in thread
From: Marc-André Lureau @ 2017-01-24 9:09 UTC (permalink / raw)
To: Gerd Hoffmann; +Cc: qemu-devel, Marc-André Lureau
Hi
----- Original Message -----
> Commit "bea60dd ui/vnc: fix potential memory corruption issues" is
> incomplete. vnc_update_stats must calculate width and height the same
> way vnc_refresh_server_surface does it, to make sure we don't use width
> and height values larger than the qemu vnc server can handle.
>
> Commit "e22492d ui/vnc: disable adaptive update calculations if not
> needed" masks the issue in the default configuration. It triggers only
> in case the "lossy" option is set to "on" (default is "off").
>
> Cc: Marc-André Lureau <marcandre.lureau@redhat.com>
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> ---
> ui/vnc.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/ui/vnc.c b/ui/vnc.c
> index 29aa9c4..e7c029d 100644
> --- a/ui/vnc.c
> +++ b/ui/vnc.c
> @@ -2756,8 +2756,10 @@ static int vnc_refresh_lossy_rect(VncDisplay *vd, int
> x, int y)
>
> static int vnc_update_stats(VncDisplay *vd, struct timeval * tv)
> {
> - int width = pixman_image_get_width(vd->guest.fb);
> - int height = pixman_image_get_height(vd->guest.fb);
> + int width = MIN(pixman_image_get_width(vd->guest.fb),
> + pixman_image_get_width(vd->server));
> + int height = MIN(pixman_image_get_height(vd->guest.fb),
> + pixman_image_get_height(vd->server));
> int x, y;
> struct timeval res;
> int has_dirty = 0;
> --
> 1.8.3.1
>
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-01-24 9:09 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-01-24 9:00 [Qemu-devel] [PATCH] vnc: fix overflow in vnc_update_stats Gerd Hoffmann
2017-01-24 9:09 ` Marc-André Lureau
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).