[Spice-commits] 4 commits - server/red_parse_qxl.c server/red_worker.c server/tests

Christophe Fergau teuf at kemper.freedesktop.org
Thu Sep 18 05:10:18 PDT 2014 

 server/red_parse_qxl.c   |    2 +-
 server/red_worker.c      |   33 ++++++++++++++++++++++++++++++++-
 server/tests/Makefile.am |   24 ++++++++++++------------
 3 files changed, 45 insertions(+), 14 deletions(-)

New commits:
commit e270edcbfd958d764e84cdbca6d403ff24fef610
Author: Christophe Fergeau <cfergeau at redhat.com>
Date:   Tue Sep 9 18:00:30 2014 +0200

    Validate surface bounding box before using it
    
    It's possible for a buggy guest driver to pass invalid bounding box
    dimensions in QXL commands, which would then cause spice-server to
    segfault. This patch checks the size of the bounding box of the QXL
    command right after it has been parsed.
    
    This fixes rhbz#1135372

diff --git a/server/red_worker.c b/server/red_worker.c
index dcd8b77..e177b68 100644
--- a/server/red_worker.c
+++ b/server/red_worker.c
@@ -1250,6 +1250,33 @@ static inline void __validate_surface(RedWorker *worker, uint32_t surface_id)
     spice_warn_if(surface_id >= worker->n_surfaces);
 }
 
+static int validate_drawable_bbox(RedWorker *worker, RedDrawable *drawable)
+{
+        DrawContext *context;
+        uint32_t surface_id = drawable->surface_id;
+
+        /* surface_id must be validated before calling into
+         * validate_drawable_bbox
+         */
+        __validate_surface(worker, surface_id);
+        context = &worker->surfaces[surface_id].context;
+
+        if (drawable->bbox.top < 0)
+                return FALSE;
+        if (drawable->bbox.left < 0)
+                return FALSE;
+        if (drawable->bbox.bottom < 0)
+                return FALSE;
+        if (drawable->bbox.right < 0)
+                return FALSE;
+        if (drawable->bbox.bottom > context->height)
+                return FALSE;
+        if (drawable->bbox.right > context->width)
+                return FALSE;
+
+        return TRUE;
+}
+
 static inline int validate_surface(RedWorker *worker, uint32_t surface_id)
 {
     spice_warn_if(surface_id >= worker->n_surfaces);
@@ -4073,6 +4100,10 @@ static Drawable *get_drawable(RedWorker *worker, uint8_t effect, RedDrawable *re
             VALIDATE_SURFACE_RETVAL(worker, drawable->surfaces_dest[x], NULL)
         }
     }
+    if (!validate_drawable_bbox(worker, red_drawable)) {
+        rendering_incorrect(__func__);
+        return NULL;
+    }
     ring_init(&drawable->pipes);
     ring_init(&drawable->glz_ring);
 
commit 2cc42d9358effcac325e63fd2b42766a771bf1bf
Author: Christophe Fergeau <cfergeau at redhat.com>
Date:   Tue Sep 9 14:08:35 2014 +0200

    Fix 'abberiviations' typo in comment

diff --git a/server/red_worker.c b/server/red_worker.c
index 35a1a04..dcd8b77 100644
--- a/server/red_worker.c
+++ b/server/red_worker.c
@@ -21,7 +21,7 @@
 
 #define SPICE_LOG_DOMAIN "SpiceWorker"
 
-/* Common variable abberiviations:
+/* Common variable abbreviations:
  *
  * rcc - RedChannelClient
  * ccc - CursorChannelClient (not to be confused with common_cc)
commit 30273776ede6448e42f3bbfdc9cb48bdc0a5273b
Author: Christophe Fergeau <cfergeau at redhat.com>
Date:   Fri Sep 5 15:33:49 2014 +0200

    Fix indentation in red_get_opaque_ptr
    
    This removes one extra space

diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c
index 008705f..d2329a3 100644
--- a/server/red_parse_qxl.c
+++ b/server/red_parse_qxl.c
@@ -570,7 +570,7 @@ static void red_put_fill(SpiceFill *red)
 static void red_get_opaque_ptr(RedMemSlotInfo *slots, int group_id,
                                SpiceOpaque *red, QXLOpaque *qxl, uint32_t flags)
 {
-    red->src_bitmap     = red_get_image(slots, group_id, qxl->src_bitmap, flags, FALSE);
+   red->src_bitmap     = red_get_image(slots, group_id, qxl->src_bitmap, flags, FALSE);
    red_get_rect_ptr(&red->src_area, &qxl->src_area);
    red_get_brush_ptr(slots, group_id, &red->brush, &qxl->brush, flags);
    red->rop_descriptor = qxl->rop_descriptor;
commit 504d027bb2077fecc39702e1e511b5c9f42368a7
Author: Christophe Fergeau <cfergeau at redhat.com>
Date:   Thu Aug 28 17:45:52 2014 +0200

    server/tests/Makefile.am: White-space cleanup
    
    Make sure the \ at the end of lines are nicely aligned

diff --git a/server/tests/Makefile.am b/server/tests/Makefile.am
index e2201cc..233393e 100644
--- a/server/tests/Makefile.am
+++ b/server/tests/Makefile.am
@@ -27,17 +27,17 @@ COMMON_BASE =					\
 	test_util.h				\
 	$(NULL)
 
-noinst_PROGRAMS =						\
-	test_display_no_ssl					\
-	test_display_streaming				\
-	test_empty_success					\
+noinst_PROGRAMS =				\
+	test_display_no_ssl			\
+	test_display_streaming			\
+	test_empty_success			\
 	test_fail_on_null_core_interface	\
-	test_just_sockets_no_ssl			\
-	test_playback						\
+	test_just_sockets_no_ssl		\
+	test_playback				\
 	test_display_resolution_changes		\
-	test_two_servers					\
-	test_vdagent						\
-	test_display_width_stride			\
+	test_two_servers			\
+	test_vdagent				\
+	test_display_width_stride		\
 	$(NULL)
 
 test_vdagent_SOURCES =		\
@@ -65,7 +65,7 @@ test_display_resolution_changes_SOURCES = \
 	$(COMMON_BASE)				\
 	test_display_base.c			\
 	test_display_base.h			\
-	test_display_resolution_changes.c	 \
+	test_display_resolution_changes.c	\
 	$(NULL)
 
 test_just_sockets_no_ssl_SOURCES =		\
@@ -93,9 +93,9 @@ test_two_servers_SOURCES =			\
 	test_two_servers.c 			\
 	$(NULL)
 
-test_display_width_stride_SOURCES =			\
+test_display_width_stride_SOURCES =		\
 	$(COMMON_BASE)				\
 	test_display_base.c			\
 	test_display_base.h			\
-	test_display_width_stride.c 			\
+	test_display_width_stride.c 		\
 	$(NULL)

More information about the Spice-commits mailing list