[Spice-devel] [spice-gtk] cursor: Add sanity checks for hotspot x/y values

Christophe Fergeau cfergeau at redhat.com
Mon Jul 17 12:00:18 UTC 2017


The cursor hotspot values have to be inside the cursor bounding box,
otherwise on X11 this may cause a crash of the application using
spice-gtk.

This is the client-side part of
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864998

Signed-off-by: Christophe Fergeau <cfergeau at redhat.com>
---
 src/channel-cursor.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/channel-cursor.c b/src/channel-cursor.c
index 14053a92..d7fa3df9 100644
--- a/src/channel-cursor.c
+++ b/src/channel-cursor.c
@@ -405,6 +405,18 @@ static display_cursor *set_cursor(SpiceChannel *channel, SpiceCursor *scursor)
 
     g_return_val_if_fail(scursor->data_size != 0, NULL);
 
+    if (hdr->hot_spot_x > hdr->width) {
+        CHANNEL_DEBUG(channel,
+                      "hot spot X position (%d) is outside cursor area, capping to cursor width (%d)",
+                      hdr->hot_spot_x, hdr->width);
+        hdr->hot_spot_x = hdr->width;
+    }
+    if (hdr->hot_spot_y > hdr->height) {
+        CHANNEL_DEBUG(channel,
+                      "hot spot Y position (%d) is outside cursor area, capping to cursor height (%d)",
+                      hdr->hot_spot_y, hdr->height);
+        hdr->hot_spot_y = hdr->height;
+    }
     size = 4u * hdr->width * hdr->height;
     cursor = g_malloc0(sizeof(*cursor) + size);
     cursor->hdr = *hdr;
-- 
2.13.3



More information about the Spice-devel mailing list