[Spice-devel] [spice-gtk] cursor: Add sanity checks for hotspot x/y values

Marc-André Lureau marcandre.lureau at redhat.com
Mon Jul 17 12:04:11 UTC 2017


Hi

----- Original Message -----
> The cursor hotspot values have to be inside the cursor bounding box,
> otherwise on X11 this may cause a crash of the application using
> spice-gtk.
> 
> This is the client-side part of
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864998
> 
> Signed-off-by: Christophe Fergeau <cfergeau at redhat.com>

Reviewed-by: Marc-André Lureau <marcandre.lureau at redhat.com>

> ---
>  src/channel-cursor.c | 12 ++++++++++++
>  1 file changed, 12 insertions(+)
> 
> diff --git a/src/channel-cursor.c b/src/channel-cursor.c
> index 14053a92..d7fa3df9 100644
> --- a/src/channel-cursor.c
> +++ b/src/channel-cursor.c
> @@ -405,6 +405,18 @@ static display_cursor *set_cursor(SpiceChannel *channel,
> SpiceCursor *scursor)
>  
>      g_return_val_if_fail(scursor->data_size != 0, NULL);
>  
> +    if (hdr->hot_spot_x > hdr->width) {
> +        CHANNEL_DEBUG(channel,
> +                      "hot spot X position (%d) is outside cursor area,
> capping to cursor width (%d)",
> +                      hdr->hot_spot_x, hdr->width);
> +        hdr->hot_spot_x = hdr->width;
> +    }
> +    if (hdr->hot_spot_y > hdr->height) {
> +        CHANNEL_DEBUG(channel,
> +                      "hot spot Y position (%d) is outside cursor area,
> capping to cursor height (%d)",
> +                      hdr->hot_spot_y, hdr->height);
> +        hdr->hot_spot_y = hdr->height;
> +    }
>      size = 4u * hdr->width * hdr->height;
>      cursor = g_malloc0(sizeof(*cursor) + size);
>      cursor->hdr = *hdr;
> --
> 2.13.3
> 
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/spice-devel
> 


More information about the Spice-devel mailing list