[Spice-devel] [PATCH xf86-video-qxl] When uploading a region, do not go outside the source image size.

[Jeremy White]

This problem was exposed (and probably only occurs) when using XSpice
in dfps mode with spice-html5, and resizing from larger to smaller.
The screen would be resized, but the update region would still attempt
to transmit any pending changes to the (now) truncated surface.  This
would often lead to a crash.

Signed-off-by: Jeremy White <jwhite at codeweavers.com>
---
 src/qxl_image.c   |    2 ++
 src/qxl_surface.c |    9 ++++++---
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/qxl_image.c b/src/qxl_image.c
index 8927fd4..53212de 100644
--- a/src/qxl_image.c
+++ b/src/qxl_image.c
@@ -62,6 +62,8 @@ hash_and_copy (const uint8_t *src, int src_stride,
 	const uint8_t *src_line = src + i * src_stride;
 	uint8_t *dest_line = dest + i * dest_stride;
 	int n_bytes = width * bytes_per_pixel;
+        if (n_bytes > src_stride)
+            n_bytes = src_stride;
 
 	if (dest)
 	    memcpy (dest_line, src_line, n_bytes);
diff --git a/src/qxl_surface.c b/src/qxl_surface.c
index 1075eae..72a7f88 100644
--- a/src/qxl_surface.c
+++ b/src/qxl_surface.c
@@ -290,10 +290,13 @@ upload_one_primary_region(qxl_screen_t *qxl, PixmapPtr pixmap, BoxPtr b)
     int stride;
     int bpp;
 
+    if (b->x1 >= qxl->virtual_x || b->y1 >= qxl->virtual_y)
+        return;
+
     rect.left = b->x1;
-    rect.right = b->x2;
+    rect.right = min(b->x2, qxl->virtual_x);
     rect.top = b->y1;
-    rect.bottom = b->y2;
+    rect.bottom = min(b->y2, qxl->virtual_y);
 
     drawable_bo = make_drawable (qxl, qxl->primary, QXL_DRAW_COPY, &rect);
     drawable = qxl->bo_funcs->bo_map(drawable_bo);
@@ -309,7 +312,7 @@ upload_one_primary_region(qxl_screen_t *qxl, PixmapPtr pixmap, BoxPtr b)
 
     fbGetPixmapBitsData(pixmap, data, stride, bpp);
     image_bo = qxl_image_create (
-	qxl, (const uint8_t *)data, b->x1, b->y1, b->x2 - b->x1, b->y2 - b->y1, stride * sizeof(*data),
+	qxl, (const uint8_t *)data, rect.left, rect.top, rect.right - rect.left, rect.bottom - rect.top, stride * sizeof(*data),
 	bpp == 24 ? 4 : bpp / 8, TRUE);
     qxl->bo_funcs->bo_output_bo_reloc(qxl, offsetof(QXLDrawable, u.copy.src_bitmap),
 				   drawable_bo, image_bo);
-- 
1.7.10.4