# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1196958896 0
# Node ID 4c5138be79914bf210052a3ff81ae9a87ab13aa8
# Parent 930b728b07ffe35ff488305caf087e9a48424572
pvfb: PVFB SDL backend chokes on bogus screen updates
Bogus screen update requests from buggy or malicous frontend make SDL
crash. The VNC backend silently ignores them. Catch and log them.
Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
xen-unstable changeset: 16386:614dad9f8fdcda21b5e0083cce3320b17bfcefdd
xen-unstable date: Fri Nov 16 16:53:43 2007 +0000
---
tools/xenfb/xenfb.c | 30 ++++++++++++++++++++++++++++--
1 files changed, 28 insertions(+), 2 deletions(-)
diff -r 930b728b07ff -r 4c5138be7991 tools/xenfb/xenfb.c
--- a/tools/xenfb/xenfb.c Thu Dec 06 16:29:08 2007 +0000
+++ b/tools/xenfb/xenfb.c Thu Dec 06 16:34:56 2007 +0000
@@ -20,6 +20,13 @@
#include <xs.h>
#include "xenfb.h"
+
+#ifndef MIN
+#define MIN(a, b) (((a) < (b)) ? (a) : (b))
+#endif
+#ifndef MAX
+#define MAX(a, b) (((a) > (b)) ? (a) : (b))
+#endif
// FIXME defend against malicious frontend?
@@ -617,6 +624,7 @@ static void xenfb_on_fb_event(struct xen
{
uint32_t prod, cons;
struct xenfb_page *page = xenfb->fb.page;
+ int x, y, w, h;
prod = page->out_prod;
if (prod == page->out_cons)
@@ -627,10 +635,28 @@ static void xenfb_on_fb_event(struct xen
switch (event->type) {
case XENFB_TYPE_UPDATE:
- if (xenfb->pub.update)
+ if (!xenfb->pub.update)
+ break;
+ x = MAX(event->update.x, 0);
+ y = MAX(event->update.y, 0);
+ w = MIN(event->update.width, xenfb->pub.width - x);
+ h = MIN(event->update.height, xenfb->pub.height - y);
+ if (w < 0 || h < 0) {
+ fprintf(stderr, "%s bogus update ignored\n",
+ xenfb->fb.nodename);
+ break;
+ }
+ if (x != event->update.x || y != event->update.y
+ || w != event->update.width
+ || h != event->update.height) {
+ fprintf(stderr, "%s bogus update clipped\n",
+ xenfb->fb.nodename);
+ break;
+ }
xenfb->pub.update(&xenfb->pub,
event->update.x, event->update.y,
- event->update.width,
event->update.height);
+ event->update.width,
+ event->update.height);
break;
}
}
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|