[Spice-devel] [PATCH] Validate surface bounding box before using it

Wed Sep 10 14:07:15 PDT 2014

On Sep 10, 2014 5:10 PM, "Christophe Fergeau" <cfergeau at redhat.com> wrote:
>
> It's possible for a buggy guest driver to pass invalid bounding box
> dimensions in QXL commands, which would then cause spice-server to
> segfault. This patch checks the size of the bounding box of the QXL
> command right after it has been parsed.
>
> This fixes rhbz#1135372

ACK.

> ---
>  server/red_worker.c | 31 +++++++++++++++++++++++++++++++
>  1 file changed, 31 insertions(+)
>
> diff --git a/server/red_worker.c b/server/red_worker.c
> index dcd8b77..e177b68 100644
> --- a/server/red_worker.c
> +++ b/server/red_worker.c
> @@ -1250,6 +1250,33 @@ static inline void __validate_surface(RedWorker
*worker, uint32_t surface_id)
>      spice_warn_if(surface_id >= worker->n_surfaces);
>  }
>
> +static int validate_drawable_bbox(RedWorker *worker, RedDrawable
*drawable)
> +{
> +        DrawContext *context;
> +        uint32_t surface_id = drawable->surface_id;
> +
> +        /* surface_id must be validated before calling into
> +         * validate_drawable_bbox
> +         */
> +        __validate_surface(worker, surface_id);
> +        context = &worker->surfaces[surface_id].context;
> +
> +        if (drawable->bbox.top < 0)
> +                return FALSE;
> +        if (drawable->bbox.left < 0)
> +                return FALSE;
> +        if (drawable->bbox.bottom < 0)
> +                return FALSE;
> +        if (drawable->bbox.right < 0)
> +                return FALSE;
> +        if (drawable->bbox.bottom > context->height)
> +                return FALSE;
> +        if (drawable->bbox.right > context->width)
> +                return FALSE;
> +
> +        return TRUE;
> +}
> +
>  static inline int validate_surface(RedWorker *worker, uint32_t
surface_id)
>  {
>      spice_warn_if(surface_id >= worker->n_surfaces);
> @@ -4073,6 +4100,10 @@ static Drawable *get_drawable(RedWorker *worker,
uint8_t effect, RedDrawable *re
>              VALIDATE_SURFACE_RETVAL(worker, drawable->surfaces_dest[x],
NULL)
>          }
>      }
> +    if (!validate_drawable_bbox(worker, red_drawable)) {
> +        rendering_incorrect(__func__);
> +        return NULL;
> +    }
>      ring_init(&drawable->pipes);
>      ring_init(&drawable->glz_ring);
>
> --
> 1.9.3
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20140910/09a4411f/attachment.html>