From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from [140.186.70.92] (port=55688 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Pujk2-00049p-NT for qemu-devel@nongnu.org; Wed, 02 Mar 2011 05:57:16 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Pujk1-0000BL-CR for qemu-devel@nongnu.org; Wed, 02 Mar 2011 05:57:14 -0500 Received: from mail-ey0-f173.google.com ([209.85.215.173]:52465) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Pujk1-0000B9-5c for qemu-devel@nongnu.org; Wed, 02 Mar 2011 05:57:13 -0500 Received: by eyb6 with SMTP id 6so2130707eyb.4 for ; Wed, 02 Mar 2011 02:57:12 -0800 (PST) MIME-Version: 1.0 In-Reply-To: <4D6DC06B.6070308@cn.fujitsu.com> References: <4D6DBDA4.3050909@cn.fujitsu.com> <4D6DC06B.6070308@cn.fujitsu.com> Date: Wed, 2 Mar 2011 10:57:12 +0000 Message-ID: From: Corentin Chary Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: [Qemu-devel] Re: [PATCH RESEND 2/2] vnc: Fix heap corruption List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Anthony Liguori Cc: qemu-devel On Wed, Mar 2, 2011 at 3:58 AM, Wen Congyang wrote: > This bug is reported by Stefan Weil: > =3D=3D=3D=3D=3D=3D=3D=3D > Commit bc2429b9174ac2d3c56b7fd35884b0d89ec7fb02 introduced > a severe bug (heap corruption). > > bitmap_clear was called with a wrong argument > which caused out-of-bound writes to width_mask. > > This bug was detected with QEMU running on windows. > It also occurs with wine: > > *** stack smashing detected ***: =C2=A0terminated > wine: Unhandled illegal instruction at address 0x6115c7 (thread 0009), st= arting debugger... > > The bug is not windows specific! > =3D=3D=3D=3D=3D=3D=3D=3D > > The third argument of bitmap_clear() is number of bits to be cleared, but= we pass > the end bits to be cleared to bitmap_clear(). > > Signed-off-by: Wen Congyang > Reported-by: Stefan Weil Acked-by: Corentin Chary > --- > =C2=A0ui/vnc.c | =C2=A0 =C2=A06 +++--- > =C2=A01 files changed, 3 insertions(+), 3 deletions(-) > > diff --git a/ui/vnc.c b/ui/vnc.c > index e3761b0..e7d0b5b 100644 > --- a/ui/vnc.c > +++ b/ui/vnc.c > @@ -2390,6 +2390,7 @@ static int vnc_refresh_server_surface(VncDisplay *v= d) > =C2=A0 =C2=A0 unsigned long width_mask[VNC_DIRTY_WORDS]; > =C2=A0 =C2=A0 VncState *vs; > =C2=A0 =C2=A0 int has_dirty =3D 0; > + =C2=A0 =C2=A0const size_t width =3D ds_get_width(vd->ds) / 16; > > =C2=A0 =C2=A0 struct timeval tv =3D { 0, 0 }; > > @@ -2403,9 +2404,8 @@ static int vnc_refresh_server_surface(VncDisplay *v= d) > =C2=A0 =C2=A0 =C2=A0* Check and copy modified bits from guest to server s= urface. > =C2=A0 =C2=A0 =C2=A0* Update server dirty map. > =C2=A0 =C2=A0 =C2=A0*/ > - =C2=A0 =C2=A0bitmap_set(width_mask, 0, (ds_get_width(vd->ds) / 16)); > - =C2=A0 =C2=A0bitmap_clear(width_mask, (ds_get_width(vd->ds) / 16), > - =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 VNC_DIRTY_WORDS= * BITS_PER_LONG); > + =C2=A0 =C2=A0bitmap_set(width_mask, 0, width); > + =C2=A0 =C2=A0bitmap_clear(width_mask, width, VNC_DIRTY_WORDS * BITS_PER= _LONG - width); > =C2=A0 =C2=A0 cmp_bytes =3D 16 * ds_get_bytes_per_pixel(vd->ds); > =C2=A0 =C2=A0 guest_row =C2=A0=3D vd->guest.ds->data; > =C2=A0 =C2=A0 server_row =3D vd->server->data; > -- > 1.7.1 > > --=20 Corentin Chary http://xf.iksaif.net