[Qemu-devel] [PATCH] spice-display: fix segfault in qemu_spice_create

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PATCH] spice-display: fix segfault in qemu_spice_create_update
@ 2015-06-10  9:24 Gerd Hoffmann
  2015-06-10 14:40 ` [Qemu-devel] [Qemu-stable] " Cole Robinson
  0 siblings, 1 reply; 2+ messages in thread
From: Gerd Hoffmann @ 2015-06-10  9:24 UTC (permalink / raw)
  To: qemu-devel; +Cc: Gerd Hoffmann, qemu-stable

Although it is pretty unusual the stride for the guest image and the
mirror image maintained by spice-display can be different.  So use
separate variables for them.

Cc: qemu-stable@nongnu.org
Reported-by: perrier vincent <clownix@clownix.net>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 ui/spice-display.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/ui/spice-display.c b/ui/spice-display.c
index 9c63132..4e6356a 100644
--- a/ui/spice-display.c
+++ b/ui/spice-display.c
@@ -199,7 +199,7 @@ static void qemu_spice_create_update(SimpleSpiceDisplay *ssd)
     static const int blksize = 32;
     int blocks = (surface_width(ssd->ds) + blksize - 1) / blksize;
     int dirty_top[blocks];
-    int y, yoff, x, xoff, blk, bw;
+    int y, yoff1, yoff2, x, xoff, blk, bw;
     int bpp = surface_bytes_per_pixel(ssd->ds);
     uint8_t *guest, *mirror;
 
@@ -214,13 +214,14 @@ static void qemu_spice_create_update(SimpleSpiceDisplay *ssd)
     guest = surface_data(ssd->ds);
     mirror = (void *)pixman_image_get_data(ssd->mirror);
     for (y = ssd->dirty.top; y < ssd->dirty.bottom; y++) {
-        yoff = y * surface_stride(ssd->ds);
+        yoff1 = y * surface_stride(ssd->ds);
+        yoff2 = y * pixman_image_get_stride(ssd->mirror);
         for (x = ssd->dirty.left; x < ssd->dirty.right; x += blksize) {
             xoff = x * bpp;
             blk = x / blksize;
             bw = MIN(blksize, ssd->dirty.right - x);
-            if (memcmp(guest + yoff + xoff,
-                       mirror + yoff + xoff,
+            if (memcmp(guest + yoff1 + xoff,
+                       mirror + yoff2 + xoff,
                        bw * bpp) == 0) {
                 if (dirty_top[blk] != -1) {
                     QXLRect update = {
-- 
1.8.3.1

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [Qemu-devel] [Qemu-stable] [PATCH] spice-display: fix segfault in qemu_spice_create_update
  2015-06-10  9:24 [Qemu-devel] [PATCH] spice-display: fix segfault in qemu_spice_create_update Gerd Hoffmann
@ 2015-06-10 14:40 ` Cole Robinson
  0 siblings, 0 replies; 2+ messages in thread
From: Cole Robinson @ 2015-06-10 14:40 UTC (permalink / raw)
  To: Gerd Hoffmann, qemu-devel; +Cc: qemu-stable

On 06/10/2015 05:24 AM, Gerd Hoffmann wrote:
> Although it is pretty unusual the stride for the guest image and the
> mirror image maintained by spice-display can be different.  So use
> separate variables for them.
> 
> Cc: qemu-stable@nongnu.org
> Reported-by: perrier vincent <clownix@clownix.net>
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Cool, hopefully this fixes:

https://bugzilla.redhat.com/show_bug.cgi?id=1163047

There's over 50 faf hits for it:

https://retrace.fedoraproject.org/faf/reports/bthash/0d3245e479f9d9a3b908c34214599f7e45bb2d69

- Cole

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2015-06-10 14:40 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-06-10  9:24 [Qemu-devel] [PATCH] spice-display: fix segfault in qemu_spice_create_update Gerd Hoffmann
2015-06-10 14:40 ` [Qemu-devel] [Qemu-stable] " Cole Robinson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).