[Spice-devel] [PATCH] red-parse-qxl: Check consistency of QXL_DRAW_COPY operations

[Francois Gouget]

The source area should not extend outside the source bitmap, or have
swapped coordinates.

Signed-off-by: Francois Gouget <fgouget at codeweavers.com>
---

The patch could be wrong: I could not find any documentation, neither in 
the code, neither in docs/Spice_protocol.odt, that says what should 
happen if the src_area goes outside the src_bitmap, or if the src_area 
boundaries are swapped.

For instance let's say we have a 100x100 src_bitmap.
What happens if src_area is:
 * ( 90, 90)-(110,110)
 * (-10,-10)-( 10, 10)
 * (110,  0)-(120, 10)
 * (90,   0)-(  0, 10)

This patch considers all these to be invalid.

 server/red-parse-qxl.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/server/red-parse-qxl.c b/server/red-parse-qxl.c
index 0dafbef..fff79f0 100644
--- a/server/red-parse-qxl.c
+++ b/server/red-parse-qxl.c
@@ -682,6 +682,17 @@ static int red_get_copy_ptr(RedMemSlotInfo *slots, int group_id,
         return 1;
     }
     red_get_rect_ptr(&red->src_area, &qxl->src_area);
+    /* The source area should not extend outside the source bitmap or have
+     * swapped coordinates.
+     */
+    if (red->src_bitmap->descriptor.type == SPICE_IMAGE_TYPE_BITMAP &&
+        (red->src_area.left < 0 ||
+         red->src_area.left > red->src_area.right ||
+         red->src_area.right > red->src_bitmap->u.bitmap.x ||
+         red->src_area.top < 0 || red->src_area.top > red->src_area.bottom ||
+         red->src_area.bottom > red->src_bitmap->u.bitmap.y)) {
+        return 1;
+    }
     red->rop_descriptor  = qxl->rop_descriptor;
     red->scale_mode      = qxl->scale_mode;
     red_get_qmask_ptr(slots, group_id, &red->mask, &qxl->mask, flags);
-- 
2.8.1