From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:36486)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <lists@wiesinger.com>) id 1TU12f-0007OC-N4
	for qemu-devel@nongnu.org; Thu, 01 Nov 2012 16:07:06 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <lists@wiesinger.com>) id 1TU12a-0000eO-VG
	for qemu-devel@nongnu.org; Thu, 01 Nov 2012 16:07:05 -0400
Received: from chello084112167138.7.11.vie.surfer.at ([84.112.167.138]:41080
	helo=wiesinger.com) by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <lists@wiesinger.com>) id 1TU12a-0000e7-Kp
	for qemu-devel@nongnu.org; Thu, 01 Nov 2012 16:07:00 -0400
Received: from bbs.intern (localhost [127.0.0.1])
	by wiesinger.com (8.14.4/8.14.4) with ESMTP id qA1K6XrJ001318
	for <qemu-devel@nongnu.org>; Thu, 1 Nov 2012 21:06:33 +0100
Received: from localhost (gerhard@localhost)
	by bbs.intern (8.14.4/8.14.4/Submit) with ESMTP id qA1K6WPZ001314
	for <qemu-devel@nongnu.org>; Thu, 1 Nov 2012 21:06:32 +0100
Date: Thu, 1 Nov 2012 21:06:32 +0100 (CET)
From: Gerhard Wiesinger <lists@wiesinger.com>
Message-ID: <alpine.LFD.2.02.1211012105080.690@bbs.intern>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
Subject: [Qemu-devel] [PATCH] ui/vnc.c: Fix crash with VNC
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

Fix crash with VNC under NT 4.0 and VMWare VGA and window which is outside of the visible area.

Backtrace:
#0  set_bit (addr=<optimized out>, nr=-3) at ./bitops.h:122
#1  vnc_dpy_update (ds=<optimized out>, x=-48, y=145, w=57, h=161) at ui/vnc.c:452
#2  0x00007f1ce057e2ec in dpy_update (s=0x7f1ce1c8c880, h=16, w=66, y=145, x=-57) at ./console.h:242
#3  vmsvga_update_rect (h=16, w=66, y=145, x=-57, s=0x7f1ce1cb3dd0) at hw/vmware_vga.c:324
#4  vmsvga_update_rect_flush (s=0x7f1ce1cb3dd0) at hw/vmware_vga.c:357
#5  vmsvga_update_display (opaque=0x7f1ce1cb3dd0) at hw/vmware_vga.c:960
#6  0x00007f1ce05f0b37 in vnc_refresh (opaque=0x7f1cd8526010) at ui/vnc.c:2590
#7  0x00007f1ce05c002b in qemu_run_timers (clock=0x7f1ce1c4f910) at qemu-timer.c:392
#8  qemu_run_timers (clock=0x7f1ce1c4f910) at qemu-timer.c:373
#9  0x00007f1ce05c028d in qemu_run_all_timers () at qemu-timer.c:449
#10 0x00007f1ce058f2ee in main_loop_wait (nonblocking=<optimized out>) at main-loop.c:502
#11 0x00007f1ce047acb3 in main_loop () at vl.c:1655
#12 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:3826

Signed-off-by: Gerhard Wiesinger <lists@wiesinger.com>
---
  ui/vnc.c | 5 +++++
  1 file changed, 5 insertions(+)

diff --git a/ui/vnc.c b/ui/vnc.c
index 7c120e6..ae6d819 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -453,6 +453,11 @@ static void vnc_dpy_update(DisplayState *ds, int x, int y, int w, int h)
      w = MIN(x + w, width) - x;
      h = MIN(h, height);

+    x = MAX(x, 0);
+    y = MAX(y, 0);
+    w = MAX(w, 0);
+    h = MAX(h, 0);
+
      for (; y < h; y++)
          for (i = 0; i < w; i += 16)
              set_bit((x + i) / 16, s->dirty[y]);
-- 
1.7.11.7