[Spice-devel] [spice-gtk] cursor: Add sanity checks for hotspot x/y values
Christophe Fergeau
cfergeau at redhat.com
Mon Jul 17 12:00:18 UTC 2017
The cursor hotspot values have to be inside the cursor bounding box,
otherwise on X11 this may cause a crash of the application using
spice-gtk.
This is the client-side part of
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864998
Signed-off-by: Christophe Fergeau <cfergeau at redhat.com>
---
src/channel-cursor.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/src/channel-cursor.c b/src/channel-cursor.c
index 14053a92..d7fa3df9 100644
--- a/src/channel-cursor.c
+++ b/src/channel-cursor.c
@@ -405,6 +405,18 @@ static display_cursor *set_cursor(SpiceChannel *channel, SpiceCursor *scursor)
g_return_val_if_fail(scursor->data_size != 0, NULL);
+ if (hdr->hot_spot_x > hdr->width) {
+ CHANNEL_DEBUG(channel,
+ "hot spot X position (%d) is outside cursor area, capping to cursor width (%d)",
+ hdr->hot_spot_x, hdr->width);
+ hdr->hot_spot_x = hdr->width;
+ }
+ if (hdr->hot_spot_y > hdr->height) {
+ CHANNEL_DEBUG(channel,
+ "hot spot Y position (%d) is outside cursor area, capping to cursor height (%d)",
+ hdr->hot_spot_y, hdr->height);
+ hdr->hot_spot_y = hdr->height;
+ }
size = 4u * hdr->width * hdr->height;
cursor = g_malloc0(sizeof(*cursor) + size);
cursor->hdr = *hdr;
--
2.13.3
More information about the Spice-devel
mailing list