<p dir="ltr"><br>
On Sep 10, 2014 5:10 PM, "Christophe Fergeau" <<a href="mailto:cfergeau@redhat.com">cfergeau@redhat.com</a>> wrote:<br>
><br>
> It's possible for a buggy guest driver to pass invalid bounding box<br>
> dimensions in QXL commands, which would then cause spice-server to<br>
> segfault. This patch checks the size of the bounding box of the QXL<br>
> command right after it has been parsed.<br>
><br>
> This fixes rhbz#1135372</p>
<p dir="ltr">ACK.<br></p>
<p dir="ltr">> ---<br>
>  server/red_worker.c | 31 +++++++++++++++++++++++++++++++<br>
>  1 file changed, 31 insertions(+)<br>
><br>
> diff --git a/server/red_worker.c b/server/red_worker.c<br>
> index dcd8b77..e177b68 100644<br>
> --- a/server/red_worker.c<br>
> +++ b/server/red_worker.c<br>
> @@ -1250,6 +1250,33 @@ static inline void __validate_surface(RedWorker *worker, uint32_t surface_id)<br>
>      spice_warn_if(surface_id >= worker->n_surfaces);<br>
>  }<br>
><br>
> +static int validate_drawable_bbox(RedWorker *worker, RedDrawable *drawable)<br>
> +{<br>
> +        DrawContext *context;<br>
> +        uint32_t surface_id = drawable->surface_id;<br>
> +<br>
> +        /* surface_id must be validated before calling into<br>
> +         * validate_drawable_bbox<br>
> +         */<br>
> +        __validate_surface(worker, surface_id);<br>
> +        context = &worker->surfaces[surface_id].context;<br>
> +<br>
> +        if (drawable->bbox.top < 0)<br>
> +                return FALSE;<br>
> +        if (drawable->bbox.left < 0)<br>
> +                return FALSE;<br>
> +        if (drawable->bbox.bottom < 0)<br>
> +                return FALSE;<br>
> +        if (drawable->bbox.right < 0)<br>
> +                return FALSE;<br>
> +        if (drawable->bbox.bottom > context->height)<br>
> +                return FALSE;<br>
> +        if (drawable->bbox.right > context->width)<br>
> +                return FALSE;<br>
> +<br>
> +        return TRUE;<br>
> +}<br>
> +<br>
>  static inline int validate_surface(RedWorker *worker, uint32_t surface_id)<br>
>  {<br>
>      spice_warn_if(surface_id >= worker->n_surfaces);<br>
> @@ -4073,6 +4100,10 @@ static Drawable *get_drawable(RedWorker *worker, uint8_t effect, RedDrawable *re<br>
>              VALIDATE_SURFACE_RETVAL(worker, drawable->surfaces_dest[x], NULL)<br>
>          }<br>
>      }<br>
> +    if (!validate_drawable_bbox(worker, red_drawable)) {<br>
> +        rendering_incorrect(__func__);<br>
> +        return NULL;<br>
> +    }<br>
>      ring_init(&drawable->pipes);<br>
>      ring_init(&drawable->glz_ring);<br>
><br>
> --<br>
> 1.9.3<br>
><br>
> _______________________________________________<br>
> Spice-devel mailing list<br>
> <a href="mailto:Spice-devel@lists.freedesktop.org">Spice-devel@lists.freedesktop.org</a><br>
> <a href="http://lists.freedesktop.org/mailman/listinfo/spice-devel">http://lists.freedesktop.org/mailman/listinfo/spice-devel</a><br>
</p>