[Spice-devel] [PATCH] red-parse-qxl: Check consistency of QXL_DRAW_COPY operations

[Frediano Ziglio]

> 
> The source area should not extend outside the source bitmap, or have
> swapped coordinates.
> 
> Signed-off-by: Francois Gouget <fgouget at codeweavers.com>
> ---
> 
> The patch could be wrong: I could not find any documentation, neither in
> the code, neither in docs/Spice_protocol.odt, that says what should
> happen if the src_area goes outside the src_bitmap, or if the src_area
> boundaries are swapped.
> 
> For instance let's say we have a 100x100 src_bitmap.
> What happens if src_area is:
>  * ( 90, 90)-(110,110)
>  * (-10,-10)-( 10, 10)
>  * (110,  0)-(120, 10)
>  * (90,   0)-(  0, 10)
> 
> This patch considers all these to be invalid.
> 

Did you had these issues with some drivers ?
I would also considering releasing QXL resource anyway.

Frediano

>  server/red-parse-qxl.c | 11 +++++++++++
>  1 file changed, 11 insertions(+)
> 
> diff --git a/server/red-parse-qxl.c b/server/red-parse-qxl.c
> index 0dafbef..fff79f0 100644
> --- a/server/red-parse-qxl.c
> +++ b/server/red-parse-qxl.c
> @@ -682,6 +682,17 @@ static int red_get_copy_ptr(RedMemSlotInfo *slots, int
> group_id,
>          return 1;
>      }
>      red_get_rect_ptr(&red->src_area, &qxl->src_area);
> +    /* The source area should not extend outside the source bitmap or have
> +     * swapped coordinates.
> +     */
> +    if (red->src_bitmap->descriptor.type == SPICE_IMAGE_TYPE_BITMAP &&
> +        (red->src_area.left < 0 ||
> +         red->src_area.left > red->src_area.right ||
> +         red->src_area.right > red->src_bitmap->u.bitmap.x ||
> +         red->src_area.top < 0 || red->src_area.top > red->src_area.bottom
> ||
> +         red->src_area.bottom > red->src_bitmap->u.bitmap.y)) {
> +        return 1;
> +    }
>      red->rop_descriptor  = qxl->rop_descriptor;
>      red->scale_mode      = qxl->scale_mode;
>      red_get_qmask_ptr(slots, group_id, &red->mask, &qxl->mask, flags);