From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([208.118.235.92]:51804) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1S3Zw1-0004XZ-II for qemu-devel@nongnu.org; Fri, 02 Mar 2012 16:22:42 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1S3Zvz-0002bQ-JL for qemu-devel@nongnu.org; Fri, 02 Mar 2012 16:22:41 -0500 Received: from e2.ny.us.ibm.com ([32.97.182.142]:43019) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1S3Zvz-0002ac-F7 for qemu-devel@nongnu.org; Fri, 02 Mar 2012 16:22:39 -0500 Received: from /spool/local by e2.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Fri, 2 Mar 2012 16:22:14 -0500 Received: from d01relay04.pok.ibm.com (d01relay04.pok.ibm.com [9.56.227.236]) by d01dlp01.pok.ibm.com (Postfix) with ESMTP id C894638C8056 for ; Fri, 2 Mar 2012 16:20:38 -0500 (EST) Received: from d03av02.boulder.ibm.com (d03av02.boulder.ibm.com [9.17.195.168]) by d01relay04.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id q22LKapk286624 for ; Fri, 2 Mar 2012 16:20:37 -0500 Received: from d03av02.boulder.ibm.com (loopback [127.0.0.1]) by d03av02.boulder.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id q22LKXBm010407 for ; Fri, 2 Mar 2012 14:20:33 -0700 Date: Fri, 2 Mar 2012 15:20:30 -0600 From: Ryan Harper Message-ID: <20120302212030.GP21784@us.ibm.com> References: <20120302211122.GA9652@vostro.hallyn.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20120302211122.GA9652@vostro.hallyn.com> Subject: Re: [Qemu-devel] [RFC] fix crashes with vmware driver List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Serge Hallyn Cc: qemu-devel@nongnu.org * Serge Hallyn [2012-03-02 15:13]: > Hi, > > I don't know where the best place to catch this would be, but > with vnc and vmware_vga it's possible to get set_bit called on > a negative index, crashing qemu. See > > https://bugs.launchpad.net/ubuntu/+source/qemu-kvm/+bug/918791 > > for details. This patch prevents that. It's possible this > should be caught earlier, but this patch works for me. > > Signed-off-by: Serge Hallyn > --- > vmware_vga.c | 16 ++++++++++++++++ > 1 file changed, 16 insertions(+) > > Index: qemu-kvm-1.0+noroms/hw/vmware_vga.c > =================================================================== > --- qemu-kvm-1.0+noroms.orig/hw/vmware_vga.c 2012-03-01 16:19:23.280571798 -0600 > +++ qemu-kvm-1.0+noroms/hw/vmware_vga.c 2012-03-01 16:27:27.910975006 -0600 > @@ -298,6 +298,22 @@ > uint8_t *src; > uint8_t *dst; > > + if (x < 0) { > + fprintf(stderr, "%s: update x was < 0 (%d, w %d)\n", > + __FUNCTION__, x, w); > + w += x; > + if (w < 0) > + return; > + x = 0; > + } > + if (y < 0) { > + fprintf(stderr, "%s: update y was < 0 (%d, h %d)\n", > + __FUNCTION__, y, h); > + h += y; > + if (h < 0) > + return; > + y = 0; > + } Looks like it has mixed spaces and tabs. CODING_STYLE wants {} on all if's > if (x + w > s->width) { > fprintf(stderr, "%s: update width too large x: %d, w: %d\n", > __FUNCTION__, x, w); -- Ryan Harper Software Engineer; Linux Technology Center IBM Corp., Austin, Tx ryanh@us.ibm.com