[Qemu-devel] Buggy SDL Zoom

[Qemu-devel] Buggy SDL Zoom

[Stefan Weil]

Hi,

the SDL zoom feature which is implemented in sdl_zoom_template.h
(and the SDL_rotozoom version which it is based on) accesses memory
beyond the allocated limits.

This can be easily reproduced using Valgrind and some Linux desktop
which resizes QEMU's window to fill the whole screen (I did run the tests
on an Ubuntu netbook).

Another effect can be observed by repeatedly increasing the zoom factor
with the Alt-Ctrl-+: the image grows up to a certain value and then
collapses again.

It looks like other programs using SDL_rotozoom also discovered
out-of-bound problems, and in newer versions, the SDL_rotozoom
code was totally rewritten.

For security reasons, I suggest disabling the zoom feature until
either the current code is replaced by a (tested) newer version
of SDL_rotozoom or fixed.

Cheers,
Stefan Weil

Re: [Qemu-devel] Buggy SDL Zoom

[Stefano Stabellini]

On Wed, 12 Oct 2011, Stefan Weil wrote:
> Hi,
> 
> the SDL zoom feature which is implemented in sdl_zoom_template.h
> (and the SDL_rotozoom version which it is based on) accesses memory
> beyond the allocated limits.
> 
> This can be easily reproduced using Valgrind and some Linux desktop
> which resizes QEMU's window to fill the whole screen (I did run the tests
> on an Ubuntu netbook).
> 
> Another effect can be observed by repeatedly increasing the zoom factor
> with the Alt-Ctrl-+: the image grows up to a certain value and then
> collapses again.
> 
> It looks like other programs using SDL_rotozoom also discovered
> out-of-bound problems, and in newer versions, the SDL_rotozoom
> code was totally rewritten.
> 
> For security reasons, I suggest disabling the zoom feature until
> either the current code is replaced by a (tested) newer version
> of SDL_rotozoom or fixed.

I am OK with that.