[Spice-commits] 3 commits - server/red_parse_qxl.c server/red_worker.c
Alon Levy
alon at kemper.freedesktop.org
Sun Jul 22 03:50:39 PDT 2012
server/red_parse_qxl.c | 26 +++++++++++++++++++-------
server/red_worker.c | 5 ++---
2 files changed, 21 insertions(+), 10 deletions(-)
New commits:
commit e29dc5250cb12cf42b6875d5a7e4bd77d2897d74
Author: Alon Levy <alevy at redhat.com>
Date: Sun Jul 22 13:42:30 2012 +0300
server/red_parse_qxl: red_get_image: fix leaks on bad image
diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c
index deab38f..3bf49a0 100644
--- a/server/red_parse_qxl.c
+++ b/server/red_parse_qxl.c
@@ -336,7 +336,8 @@ static SpiceImage *red_get_image(RedMemSlotInfo *slots, int group_id,
{
RedDataChunk chunks;
QXLImage *qxl;
- SpiceImage *red;
+ SpiceImage *red = NULL;
+ SpicePalette *rp = NULL;
size_t bitmap_size, size;
uint8_t qxl_flags;
int error;
@@ -368,11 +369,11 @@ static SpiceImage *red_get_image(RedMemSlotInfo *slots, int group_id,
if (!bitmap_fmt_is_rgb(qxl->bitmap.format) && !qxl->bitmap.palette) {
spice_warning("guest error: missing palette on bitmap format=%d\n",
red->u.bitmap.format);
- return NULL;
+ goto error;
}
if (qxl->bitmap.x == 0 || qxl->bitmap.y == 0) {
spice_warning("guest error: zero area bitmap\n");
- return NULL;
+ goto error;
}
qxl_flags = qxl->bitmap.flags;
if (qxl_flags & QXL_BITMAP_TOP_DOWN) {
@@ -383,18 +384,17 @@ static SpiceImage *red_get_image(RedMemSlotInfo *slots, int group_id,
red->u.bitmap.stride = qxl->bitmap.stride;
if (qxl->bitmap.palette) {
QXLPalette *qp;
- SpicePalette *rp;
int i, num_ents;
qp = (QXLPalette *)get_virt(slots, qxl->bitmap.palette,
sizeof(*qp), group_id, &error);
if (error) {
- return NULL;
+ goto error;
}
num_ents = qp->num_ents;
if (!validate_virt(slots, (intptr_t)qp->ents,
get_memslot_id(slots, qxl->bitmap.palette),
num_ents * sizeof(qp->ents[0]), group_id)) {
- return NULL;
+ goto error;
}
rp = spice_malloc_n_m(num_ents, sizeof(rp->ents[0]), sizeof(*rp));
rp->unique = qp->unique;
@@ -421,7 +421,7 @@ static SpiceImage *red_get_image(RedMemSlotInfo *slots, int group_id,
&chunks, qxl->bitmap.data);
spice_assert(size == bitmap_size);
if (size != bitmap_size) {
- return NULL;
+ goto error;
}
red->u.bitmap.data = red_get_image_data_chunked(slots, group_id,
&chunks);
@@ -441,7 +441,7 @@ static SpiceImage *red_get_image(RedMemSlotInfo *slots, int group_id,
&chunks, (QXLDataChunk *)qxl->quic.data);
spice_assert(size == red->u.quic.data_size);
if (size != red->u.quic.data_size) {
- return NULL;
+ goto error;
}
red->u.quic.data = red_get_image_data_chunked(slots, group_id,
&chunks);
@@ -451,6 +451,14 @@ static SpiceImage *red_get_image(RedMemSlotInfo *slots, int group_id,
spice_error("unknown type %d", red->descriptor.type);
}
return red;
+error:
+ if (red) {
+ free(red);
+ }
+ if (rp) {
+ free(rp);
+ }
+ return NULL;
}
void red_put_image(SpiceImage *red)
commit 7863b18cd79ac3d82e263f4331f3551e7a75ebaa
Author: Alon Levy <alevy at redhat.com>
Date: Sun Jul 22 11:35:05 2012 +0300
server/red_worker: release bad drawables
diff --git a/server/red_worker.c b/server/red_worker.c
index 5634db5..e239740 100644
--- a/server/red_worker.c
+++ b/server/red_worker.c
@@ -4843,11 +4843,10 @@ static int red_process_commands(RedWorker *worker, uint32_t max_pipe_size, int *
case QXL_CMD_DRAW: {
RedDrawable *red_drawable = red_drawable_new(); // returns with 1 ref
- if (red_get_drawable(&worker->mem_slots, ext_cmd.group_id,
+ if (!red_get_drawable(&worker->mem_slots, ext_cmd.group_id,
red_drawable, ext_cmd.cmd.data, ext_cmd.flags)) {
- break;
+ red_process_drawable(worker, red_drawable, ext_cmd.group_id);
}
- red_process_drawable(worker, red_drawable, ext_cmd.group_id);
// release the red_drawable
put_red_drawable(worker, red_drawable, ext_cmd.group_id);
break;
commit 827f40e05c0340293711f1cd7f164abcc1da8789
Author: Alon Levy <alevy at redhat.com>
Date: Fri Jul 20 18:23:58 2012 +0300
server/red_parse_qxl: disallow zero area bitmaps
prevents division by zero later (SIGFPE, Arithmetic exception) in
spice-common code, at spice-common/common/canvas_base.c:646
for both client and server (server only upon rendering).
diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c
index 71991ca..deab38f 100644
--- a/server/red_parse_qxl.c
+++ b/server/red_parse_qxl.c
@@ -370,6 +370,10 @@ static SpiceImage *red_get_image(RedMemSlotInfo *slots, int group_id,
red->u.bitmap.format);
return NULL;
}
+ if (qxl->bitmap.x == 0 || qxl->bitmap.y == 0) {
+ spice_warning("guest error: zero area bitmap\n");
+ return NULL;
+ }
qxl_flags = qxl->bitmap.flags;
if (qxl_flags & QXL_BITMAP_TOP_DOWN) {
red->u.bitmap.flags = SPICE_BITMAP_FLAGS_TOP_DOWN;
More information about the Spice-commits
mailing list