[Spice-devel] [qxl-win PATCH 1/2] display: handle correctly bitmaps with line-size > 64K

Yonit Halperin yhalperi at redhat.com
Fri Jun 21 06:50:18 PDT 2013 

rhbz#966835

We do not support copying such bitmaps. But instead of failing
operations that involve such bitmaps we either BSODed (in checked
builds), or proceeded with the bitmap copying (in free builds) - this lead to an infinite
loop allocating QXLDataChunks without any data, just header.
---
 xddm/display/res.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/xddm/display/res.c b/xddm/display/res.c
index e494271..6f04475 100644
--- a/xddm/display/res.c
+++ b/xddm/display/res.c
@@ -1871,7 +1871,11 @@ static _inline Resource *GetBitmapImage(PDev *pdev, SURFOBJ *surf, XLATEOBJ *col
     DEBUG_PRINT((pdev, 12, "%s\n", __FUNCTION__));
     ASSERT(pdev, width > 0 && height > 0);
 
-    ASSERT(pdev, BITS_BUF_MAX > line_size);
+    if (line_size >= BITS_BUF_MAX) {
+        DEBUG_PRINT((pdev, 0, "%s: line size (%u) exceeds max (%u)\n", __FUNCTION__,
+                     line_size, BITS_BUF_MAX));
+        return NULL;
+    }
     alloc_size = BITMAP_ALLOC_BASE + BITS_BUF_MAX - BITS_BUF_MAX % line_size;
     alloc_size = MIN(BITMAP_ALLOC_BASE + height * line_size, alloc_size);
     image_res = AllocMem(pdev, MSPACE_TYPE_DEVRAM, alloc_size);
@@ -2305,6 +2309,9 @@ BOOL QXLGetBitmap(PDev *pdev, QXLDrawable *drawable, QXLPHYSICAL *image_phys, SU
                                    src, line_size, key))) {
         image_res = GetBitmapImage(pdev, surf, color_trans, !!cache_image, width, height, format,
                                    src, line_size, key);
+        if (!image_res) {
+            return FALSE;
+        }
     }
     internal = (InternalImage *)image_res->res;
     if (high_bits_set) {
@@ -2435,6 +2442,9 @@ BOOL QXLGetAlphaBitmap(PDev *pdev, QXLDrawable *drawable, QXLPHYSICAL *image_phy
                                    SPICE_BITMAP_FMT_RGBA, src, width << 2, key))) {
         image_res = GetBitmapImage(pdev, surf, NULL, !!cache_image, width, height,
                                    SPICE_BITMAP_FMT_RGBA, src, width << 2, key);
+        if (!image_res) {
+            return FALSE;
+        }
     }
     internal = (InternalImage *)image_res->res;
     if ((internal->cache = cache_image)) {
-- 
1.8.1.4

More information about the Spice-devel mailing list