WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-changelog

[Xen-changelog] [xen-3.1-testing] pvfb: PVFB SDL backend chokes on bogus

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] [xen-3.1-testing] pvfb: PVFB SDL backend chokes on bogus screen updates
From: "Xen patchbot-3.1-testing" <patchbot-3.1-testing@xxxxxxxxxxxxxxxxxxx>
Date: Mon, 10 Dec 2007 03:10:29 -0800
Delivery-date: Mon, 10 Dec 2007 03:12:13 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx
# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1196958896 0
# Node ID 4c5138be79914bf210052a3ff81ae9a87ab13aa8
# Parent  930b728b07ffe35ff488305caf087e9a48424572
pvfb: PVFB SDL backend chokes on bogus screen updates

Bogus screen update requests from buggy or malicous frontend make SDL
crash.  The VNC backend silently ignores them.  Catch and log them.

Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
xen-unstable changeset:   16386:614dad9f8fdcda21b5e0083cce3320b17bfcefdd
xen-unstable date:        Fri Nov 16 16:53:43 2007 +0000
---
 tools/xenfb/xenfb.c |   30 ++++++++++++++++++++++++++++--
 1 files changed, 28 insertions(+), 2 deletions(-)

diff -r 930b728b07ff -r 4c5138be7991 tools/xenfb/xenfb.c
--- a/tools/xenfb/xenfb.c       Thu Dec 06 16:29:08 2007 +0000
+++ b/tools/xenfb/xenfb.c       Thu Dec 06 16:34:56 2007 +0000
@@ -20,6 +20,13 @@
 #include <xs.h>
 
 #include "xenfb.h"
+
+#ifndef MIN
+#define MIN(a, b) (((a) < (b)) ? (a) : (b))
+#endif
+#ifndef MAX
+#define MAX(a, b) (((a) > (b)) ? (a) : (b))
+#endif
 
 // FIXME defend against malicious frontend?
 
@@ -617,6 +624,7 @@ static void xenfb_on_fb_event(struct xen
 {
        uint32_t prod, cons;
        struct xenfb_page *page = xenfb->fb.page;
+       int x, y, w, h;
 
        prod = page->out_prod;
        if (prod == page->out_cons)
@@ -627,10 +635,28 @@ static void xenfb_on_fb_event(struct xen
 
                switch (event->type) {
                case XENFB_TYPE_UPDATE:
-                    if (xenfb->pub.update)
+                       if (!xenfb->pub.update)
+                               break;
+                       x = MAX(event->update.x, 0);
+                       y = MAX(event->update.y, 0);
+                       w = MIN(event->update.width, xenfb->pub.width - x);
+                       h = MIN(event->update.height, xenfb->pub.height - y);
+                       if (w < 0 || h < 0) {
+                               fprintf(stderr, "%s bogus update ignored\n",
+                                       xenfb->fb.nodename);
+                               break;
+                       }
+                       if (x != event->update.x || y != event->update.y
+                           || w != event->update.width
+                           || h != event->update.height) {
+                               fprintf(stderr, "%s bogus update clipped\n",
+                                       xenfb->fb.nodename);
+                               break;
+                       }
                        xenfb->pub.update(&xenfb->pub,
                                          event->update.x, event->update.y,
-                                         event->update.width, 
event->update.height);
+                                         event->update.width,
+                                         event->update.height);
                     break;
                }
        }

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] [xen-3.1-testing] pvfb: PVFB SDL backend chokes on bogus screen updates, Xen patchbot-3.1-testing <=