diff options
| author | Gerd Hoffmann <kraxel@redhat.com> | 2014-08-29 09:27:52 +0200 |
|---|---|---|
| committer | Michael Roth <mdroth@linux.vnet.ibm.com> | 2014-09-10 09:30:57 -0500 |
| commit | 67cfda87763775abbfcb5ec7381f506fea500735 (patch) | |
| tree | c13dc27ce9907888d8682ff09aafe397dccd070c | |
| parent | 4fd144f8f52cdc99c0bdcfc2021219f483d997f8 (diff) | |
| download | qemu-67cfda87763775abbfcb5ec7381f506fea500735.tar.gz | |
qxl-render: add more sanity checks
Damn, the dirty rectangle values are signed integers. So the checks
added by commit 788fbf042fc6d5aaeab56757e6dad622ac5f0c21 are not good
enough, we also have to make sure they are not negative.
[ Note: There must be something broken in spice-server so we get
negative values in the first place. Bug opened:
https://bugzilla.redhat.com/show_bug.cgi?id=1135372 ]
Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
(cherry picked from commit 503b3b33feca818baa4459aba286e54a528e5567)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
| -rw-r--r-- | hw/display/qxl-render.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c index cc2c2b1dbc..bcc5c3701a 100644 --- a/hw/display/qxl-render.c +++ b/hw/display/qxl-render.c @@ -138,7 +138,9 @@ static void qxl_render_update_area_unlocked(PCIQXLDevice *qxl) if (qemu_spice_rect_is_empty(qxl->dirty+i)) { break; } - if (qxl->dirty[i].left > qxl->dirty[i].right || + if (qxl->dirty[i].left < 0 || + qxl->dirty[i].top < 0 || + qxl->dirty[i].left > qxl->dirty[i].right || qxl->dirty[i].top > qxl->dirty[i].bottom || qxl->dirty[i].right > qxl->guest_primary.surface.width || qxl->dirty[i].bottom > qxl->guest_primary.surface.height) { |