[PATCH xf86-video-qxl v2] When uploading a region, do not go outside the source image size.

Jeremy White <jwhite@xxxxxxxxxxxxxxx> · Fri, 19 Sep 2014 11:43:09 -0500

This problem was exposed (and probably only occurs) when using XSpice
in dfps mode with spice-html5, and resizing from larger to smaller.
The screen would be resized, but the update region would still attempt
to transmit any pending changes to the (now) truncated surface.  This
would often lead to a crash.

Signed-off-by: Jeremy White <jwhite@xxxxxxxxxxxxxxx>
---
 src/qxl_image.c   |    2 ++
 src/qxl_surface.c |    9 ++++++---
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/qxl_image.c b/src/qxl_image.c
index 8927fd4..1975df6 100644
--- a/src/qxl_image.c
+++ b/src/qxl_image.c
@@ -62,6 +62,8 @@ hash_and_copy (const uint8_t *src, int src_stride,
 	const uint8_t *src_line = src + i * src_stride;
 	uint8_t *dest_line = dest + i * dest_stride;
 	int n_bytes = width * bytes_per_pixel;
+	if (n_bytes > src_stride)
+	    n_bytes = src_stride;
 
 	if (dest)
 	    memcpy (dest_line, src_line, n_bytes);
diff --git a/src/qxl_surface.c b/src/qxl_surface.c
index 1075eae..72a7f88 100644
--- a/src/qxl_surface.c
+++ b/src/qxl_surface.c
@@ -290,10 +290,13 @@ upload_one_primary_region(qxl_screen_t *qxl, PixmapPtr pixmap, BoxPtr b)
     int stride;
     int bpp;
 
+    if (b->x1 >= qxl->virtual_x || b->y1 >= qxl->virtual_y)
+        return;
+
     rect.left = b->x1;
-    rect.right = b->x2;
+    rect.right = min(b->x2, qxl->virtual_x);
     rect.top = b->y1;
-    rect.bottom = b->y2;
+    rect.bottom = min(b->y2, qxl->virtual_y);
 
     drawable_bo = make_drawable (qxl, qxl->primary, QXL_DRAW_COPY, &rect);
     drawable = qxl->bo_funcs->bo_map(drawable_bo);
@@ -309,7 +312,7 @@ upload_one_primary_region(qxl_screen_t *qxl, PixmapPtr pixmap, BoxPtr b)
 
     fbGetPixmapBitsData(pixmap, data, stride, bpp);
     image_bo = qxl_image_create (
-	qxl, (const uint8_t *)data, b->x1, b->y1, b->x2 - b->x1, b->y2 - b->y1, stride * sizeof(*data),
+	qxl, (const uint8_t *)data, rect.left, rect.top, rect.right - rect.left, rect.bottom - rect.top, stride * sizeof(*data),
 	bpp == 24 ? 4 : bpp / 8, TRUE);
     qxl->bo_funcs->bo_output_bo_reloc(qxl, offsetof(QXLDrawable, u.copy.src_bitmap),
 				   drawable_bo, image_bo);
-- 
1.7.10.4

_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/spice-devel







