> > Hi, > > On Mon, May 22, 2017 at 11:41:02AM +0100, Frediano Ziglio wrote: > > In the past CursorItem structure was stored in > > RedCursorCmd::device_data field so the check was there to check if the > > structure fit into that field. > > Since 2ba69f9f8819daaa3d166c4c1c7e03b121b88a95 > > A lit bit hard to follow, this one > Yes, the mentioned patch is quite big and the topic is not much related to this. However you can see that "device_data" access was removed. > > ("libspice: add surface 0 support") the structure is no more stored in > > the field so there's no reason for this check causing only confusion. > > > > Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx> > > --- > > server/cursor-channel.c | 2 -- > > 1 file changed, 2 deletions(-) > > > > diff --git a/server/cursor-channel.c b/server/cursor-channel.c > > index 6aea64a..a876113 100644 > > --- a/server/cursor-channel.c > > +++ b/server/cursor-channel.c > > @@ -34,8 +34,6 @@ typedef struct CursorItem { > > RedCursorCmd *red_cursor; > > } CursorItem; > > > > -G_STATIC_ASSERT(sizeof(CursorItem) <= QXL_CURSUR_DEVICE_DATA_SIZE); > > - > > I don't see any other use for QXL_CURSUR_DEVICE_DATA_SIZE in my local > workspace besides: > > spice-protocol/spice/qxl_dev.h:335: > #define QXL_CURSUR_DEVICE_DATA_SIZE 128 > spice-protocol/spice/qxl_dev.h:352: > uint8_t device_data[QXL_CURSUR_DEVICE_DATA_SIZE]; //todo: dynamic size from > rom > > Is that useless now? > Maybe but is not so easy to remove. Now, did some grep too and basically nobody uses device_data field. Is not surprising as was used to store spice-server data in qxl card memory... once spice-server usage was gone the fields stopped to be used. However this now is an ABI and the size of QXLCursorCmd is part of the ABI. Although this is the last field and QXLCursorCmd is not included in any array/structures (but just pointed from the cursor ring) this can cause problems. Let say for instance that the field is removed. The QXL drivers will allocate less bytes and pass less bytes. Now if the spice-server you are using is using the old length it will check for memory bounds using the old (bigger) size. If the cursor commands was allocated at the end of QXL memory region (quite unlikely but not impossible) the red-parse-qxl.c code will detect an error and discard the command. Not sure if this is the only issue of removing the field but I think that this change is not strongly related to this one and should be addresses in a follow up. > (hmm, checking qxl-wddm-dod) > [0] https://gitlab.com/spice/qxl-wddm-dod > > Okay, here is also not used and header is actually duplicated (shouldn't > we use the header from spice-protocol here? see: > > $ qxl-wddm-dod (master 1a81d6d3) $ grepi "qxl_dev" * > qxldod/include/qxl_dev.h:32:#ifndef _H_QXL_DEV > qxldod/include/qxl_dev.h:33:#define _H_QXL_DEV > qxldod/include/qxl_dev.h:65:#define QXL_DEVICE_ID_STABLE 0x0100 > qxldod/include/qxl_dev.h:74:#define QXL_DEVICE_ID_DEVEL 0x01ff > qxldod/include/qxl_dev.h:808:#endif /* _H_QXL_DEV */ > qxldod/QxlDod.h:13:#include "qxl_dev.h" > > Anyway, patch looks fine but we might want to do some follow ups. > Yes, surely. > > struct CursorChannel > > { > > CommonGraphicsChannel parent; Frediano _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/spice-devel