From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1JyFOb-0001mL-9h
	for qemu-devel@nongnu.org; Mon, 19 May 2008 20:08:01 -0400
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1JyFOa-0001lx-JP
	for qemu-devel@nongnu.org; Mon, 19 May 2008 20:08:00 -0400
Received: from [199.232.76.173] (port=56681 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1JyFOa-0001lu-GN
	for qemu-devel@nongnu.org; Mon, 19 May 2008 20:08:00 -0400
Received: from savannah.gnu.org ([199.232.41.3]:50045 helo=sv.gnu.org)
	by monty-python.gnu.org with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.60) (envelope-from <balrogg@gmail.com>) id 1JyFOa-0008Cl-85
	for qemu-devel@nongnu.org; Mon, 19 May 2008 20:08:00 -0400
Received: from cvs.savannah.gnu.org ([199.232.41.69])
	by sv.gnu.org with esmtp (Exim 4.63)
	(envelope-from <balrogg@gmail.com>) id 1JyFOZ-0007h3-Ja
	for qemu-devel@nongnu.org; Tue, 20 May 2008 00:07:59 +0000
Received: from balrog by cvs.savannah.gnu.org with local (Exim 4.63)
	(envelope-from <balrog@savannah.gnu.org>) id 1JyFOZ-0007gz-AE
	for qemu-devel@nongnu.org; Tue, 20 May 2008 00:07:59 +0000
MIME-Version: 1.0
Errors-To: balrog
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
From: Andrzej Zaborowski <balrogg@gmail.com>
Message-Id: <E1JyFOZ-0007gz-AE@cvs.savannah.gnu.org>
Date: Tue, 20 May 2008 00:07:59 +0000
Subject: [Qemu-devel] [4502] Prevent SEGV in VNC server for old clients
	(Anthony Liguori).
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

Revision: 4502
          http://svn.sv.gnu.org/viewvc/?view=rev&root=qemu&revision=4502
Author:   balrog
Date:     2008-05-20 00:07:58 +0000 (Tue, 20 May 2008)

Log Message:
-----------
Prevent SEGV in VNC server for old clients (Anthony Liguori).

If the client does not support the DesktopResize pseudo-encoding, then
vs->{width,height} may be smaller than ds->{width,height}.  dirty_row is
sized according to vs->{width,height}, not ds->{width,height}.

This patch makes sure to bound the update region to vs->{width,height} to
avoid a possible SEGV.

Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Reported-by: Marcelo Tosatti <mtosatti@redhat.com>

Modified Paths:
--------------
    trunk/vnc.c

Modified: trunk/vnc.c
===================================================================
--- trunk/vnc.c	2008-05-20 00:01:55 UTC (rev 4501)
+++ trunk/vnc.c	2008-05-20 00:07:58 UTC (rev 4502)
@@ -265,6 +265,11 @@
     w += (x % 16);
     x -= (x % 16);
 
+    x = MIN(x, vs->width);
+    y = MIN(y, vs->height);
+    w = MIN(x + w, vs->width) - x;
+    h = MIN(y + h, vs->height) - y;
+
     for (; y < h; y++)
 	for (i = 0; i < w; i += 16)
 	    vnc_set_bit(vs->dirty_row[y], (x + i) / 16);