WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

[Xen-devel] [PATCH 2/2][PVFB][TOOLS] PVFB SDL backend chokes on bogus sc

To: <xen-devel@xxxxxxxxxxxxxxxxxxx>
Subject: [Xen-devel] [PATCH 2/2][PVFB][TOOLS] PVFB SDL backend chokes on bogus screen updates
From: Markus Armbruster <armbru@xxxxxxxxxx>
Date: Tue, 13 Nov 2007 17:44:30 +0100
Delivery-date: Tue, 13 Nov 2007 08:45:20 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <871waurt8t.fsf@xxxxxxxxxxxxxxxxx> (Markus Armbruster's message of "Tue\, 13 Nov 2007 17\:43\:30 +0100")
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <871waurt8t.fsf@xxxxxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Gnus/5.11 (Gnus v5.11) Emacs/22.1 (gnu/linux)
Bogus screen update requests from buggy or malicous frontend make SDL
crash.  The VNC backend silently ignores them.  Catch and log them.

Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>


diff -r 837f83225153 tools/ioemu/hw/xenfb.c
--- a/tools/ioemu/hw/xenfb.c    Fri Nov 09 12:08:37 2007 +0000
+++ b/tools/ioemu/hw/xenfb.c    Tue Nov 13 17:30:22 2007 +0100
@@ -488,12 +488,27 @@ static void xenfb_on_fb_event(struct xen
        rmb();                  /* ensure we see ring contents up to prod */
        for (cons = page->out_cons; cons != prod; cons++) {
                union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons);
+               int x, y, w, h;
 
                switch (event->type) {
                case XENFB_TYPE_UPDATE:
-                       xenfb_guest_copy(xenfb,
-                                        event->update.x, event->update.y,
-                                        event->update.width, 
event->update.height);
+                       x = MAX(event->update.x, 0);
+                       y = MAX(event->update.y, 0);
+                       w = MIN(event->update.width, xenfb->width - x);
+                       h = MIN(event->update.height, xenfb->height - y);
+                       if (w < 0 || h < 0) {
+                               fprintf(stderr, "%s bogus update ignored\n",
+                                       xenfb->fb.nodename);
+                               break;
+                       }
+                       if (x != event->update.x || y != event->update.y
+                           || w != event->update.width
+                           || h != event->update.height) {
+                               fprintf(stderr, "%s bogus update clipped\n",
+                                       xenfb->fb.nodename);
+                               break;
+                       }
+                       xenfb_guest_copy(xenfb, x, y, w, h);
                        break;
                }
        }

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

<Prev in Thread] Current Thread [Next in Thread>