From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:45688)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <serge@mail.hallyn.com>) id 1S4eFu-0003YQ-I9
	for qemu-devel@nongnu.org; Mon, 05 Mar 2012 15:11:44 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <serge@mail.hallyn.com>) id 1S4eFn-0005Bo-U4
	for qemu-devel@nongnu.org; Mon, 05 Mar 2012 15:11:38 -0500
Received: from 50-56-35-84.static.cloud-ips.com ([50.56.35.84]:59729
	helo=mail.hallyn.com) by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <serge@mail.hallyn.com>) id 1S4eFn-0005Bf-Pa
	for qemu-devel@nongnu.org; Mon, 05 Mar 2012 15:11:31 -0500
Date: Mon, 5 Mar 2012 19:33:38 +0000
From: "Serge E. Hallyn" <serge@hallyn.com>
Message-ID: <20120305193337.GA25975@mail.hallyn.com>
References: <20120302211122.GA9652@vostro.hallyn.com>
	<20120302212030.GP21784@us.ibm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20120302212030.GP21784@us.ibm.com>
Subject: Re: [Qemu-devel] [RFC] fix crashes with vmware driver
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Ryan Harper <ryanh@us.ibm.com>
Cc: qemu-devel@nongnu.org

Thanks.  As there's been no substantial feedback, I'll resend with
those changes.

-serge

Quoting Ryan Harper (ryanh@us.ibm.com):
> * Serge Hallyn <serge.hallyn@canonical.com> [2012-03-02 15:13]:
> > Hi,
> > 
> > I don't know where the best place to catch this would be, but
> > with vnc and vmware_vga it's possible to get set_bit called on
> > a negative index, crashing qemu.  See
> > 
> > https://bugs.launchpad.net/ubuntu/+source/qemu-kvm/+bug/918791
> > 
> > for details.  This patch prevents that.  It's possible this
> > should be caught earlier, but this patch works for me.
> > 
> > Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
> > ---
> >  vmware_vga.c |   16 ++++++++++++++++
> >  1 file changed, 16 insertions(+)
> > 
> > Index: qemu-kvm-1.0+noroms/hw/vmware_vga.c
> > ===================================================================
> > --- qemu-kvm-1.0+noroms.orig/hw/vmware_vga.c	2012-03-01 16:19:23.280571798 -0600
> > +++ qemu-kvm-1.0+noroms/hw/vmware_vga.c	2012-03-01 16:27:27.910975006 -0600
> > @@ -298,6 +298,22 @@
> >      uint8_t *src;
> >      uint8_t *dst;
> > 
> > +    if (x < 0) {
> > +        fprintf(stderr, "%s: update x was < 0 (%d, w %d)\n",
> > +                        __FUNCTION__, x, w);
> > +        w += x;
> > +	if (w < 0)
> > +		return;
> > +        x = 0;
> > +    }
> > +    if (y < 0) {
> > +        fprintf(stderr, "%s: update y was < 0 (%d, h %d)\n",
> > +                        __FUNCTION__, y, h);
> > +        h += y;
> > +	if (h < 0)
> > +		return;
> > +        y = 0;
> > +    }
> 
> Looks like it has mixed spaces and tabs.
> 
> CODING_STYLE wants {} on all if's 
> 
> 
> 
> >      if (x + w > s->width) {
> >          fprintf(stderr, "%s: update width too large x: %d, w: %d\n",
> >                          __FUNCTION__, x, w);
> 
> -- 
> Ryan Harper
> Software Engineer; Linux Technology Center
> IBM Corp., Austin, Tx
> ryanh@us.ibm.com
>