[Spice-devel] [PATCH] Validate surface bounding box before using it
Christophe Fergeau
cfergeau at redhat.com
Wed Sep 10 08:10:08 PDT 2014
It's possible for a buggy guest driver to pass invalid bounding box
dimensions in QXL commands, which would then cause spice-server to
segfault. This patch checks the size of the bounding box of the QXL
command right after it has been parsed.
This fixes rhbz#1135372
---
server/red_worker.c | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/server/red_worker.c b/server/red_worker.c
index dcd8b77..e177b68 100644
--- a/server/red_worker.c
+++ b/server/red_worker.c
@@ -1250,6 +1250,33 @@ static inline void __validate_surface(RedWorker *worker, uint32_t surface_id)
spice_warn_if(surface_id >= worker->n_surfaces);
}
+static int validate_drawable_bbox(RedWorker *worker, RedDrawable *drawable)
+{
+ DrawContext *context;
+ uint32_t surface_id = drawable->surface_id;
+
+ /* surface_id must be validated before calling into
+ * validate_drawable_bbox
+ */
+ __validate_surface(worker, surface_id);
+ context = &worker->surfaces[surface_id].context;
+
+ if (drawable->bbox.top < 0)
+ return FALSE;
+ if (drawable->bbox.left < 0)
+ return FALSE;
+ if (drawable->bbox.bottom < 0)
+ return FALSE;
+ if (drawable->bbox.right < 0)
+ return FALSE;
+ if (drawable->bbox.bottom > context->height)
+ return FALSE;
+ if (drawable->bbox.right > context->width)
+ return FALSE;
+
+ return TRUE;
+}
+
static inline int validate_surface(RedWorker *worker, uint32_t surface_id)
{
spice_warn_if(surface_id >= worker->n_surfaces);
@@ -4073,6 +4100,10 @@ static Drawable *get_drawable(RedWorker *worker, uint8_t effect, RedDrawable *re
VALIDATE_SURFACE_RETVAL(worker, drawable->surfaces_dest[x], NULL)
}
}
+ if (!validate_drawable_bbox(worker, red_drawable)) {
+ rendering_incorrect(__func__);
+ return NULL;
+ }
ring_init(&drawable->pipes);
ring_init(&drawable->glz_ring);
--
1.9.3
More information about the Spice-devel
mailing list