[PATCH xf86-video-qxl 3/4] qxl_surface: protect from out of bounds rectangles

Alon Levy <alevy@xxxxxxxxxx> · Mon, 15 Jul 2013 14:58:40 +0300

upload_one_primary_region which is called by dfps for each damage box
can contain rectangles that are outside of the primary surface if the
primary surface has been destroyed in the mean while. Adding a check at
upload_one_primary_region solves this problem and also prevents possibly
other future SEGFAULTs from a different path.
---
 src/qxl_surface.c | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/src/qxl_surface.c b/src/qxl_surface.c
index 5e6737a..f82119a 100644
--- a/src/qxl_surface.c
+++ b/src/qxl_surface.c
@@ -280,6 +280,8 @@ qxl_upload_box (qxl_surface_t *surface, int x1, int y1, int x2, int y2)
     }
 }
 
+#define MIN(a, b) ((a) > (b) ? (b) : (a))
+
 static void
 upload_one_primary_region(qxl_screen_t *qxl, PixmapPtr pixmap, BoxPtr b)
 {
@@ -289,11 +291,22 @@ upload_one_primary_region(qxl_screen_t *qxl, PixmapPtr pixmap, BoxPtr b)
     FbBits *data;
     int stride;
     int bpp;
-
-    rect.left = b->x1;
-    rect.right = b->x2;
-    rect.top = b->y1;
-    rect.bottom = b->y2;
+    int x2;
+    int y2;
+    int x1;
+    int y1;
+
+    x2 = MIN(b->x2, qxl->virtual_x);
+    y2 = MIN(b->y2, qxl->virtual_y);
+    x1 = MIN(b->x1, x2);
+    y1 = MIN(b->y1, y2);
+    if (x1 == x2 || y1 == y2) {
+	    return;
+    }
+    rect.left = x1;
+    rect.right = x2;
+    rect.top = y1;
+    rect.bottom = y2;
 
     drawable_bo = make_drawable (qxl, qxl->primary, QXL_DRAW_COPY, &rect);
     drawable = qxl->bo_funcs->bo_map(drawable_bo);
@@ -309,7 +322,7 @@ upload_one_primary_region(qxl_screen_t *qxl, PixmapPtr pixmap, BoxPtr b)
 
     fbGetPixmapBitsData(pixmap, data, stride, bpp);
     image_bo = qxl_image_create (
-	qxl, (const uint8_t *)data, b->x1, b->y1, b->x2 - b->x1, b->y2 - b->y1, stride * sizeof(*data),
+	qxl, (const uint8_t *)data, x1, y1, x2 - x1, y2 - y1, stride * sizeof(*data),
 	bpp == 24 ? 4 : bpp / 8, TRUE);
     qxl->bo_funcs->bo_output_bo_reloc(qxl, offsetof(QXLDrawable, u.copy.src_bitmap),
 				   drawable_bo, image_bo);
-- 
1.8.3.1

_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/spice-devel







