619821
From 8c2d53ffb72c574d0c81e2c86115a18598e66c65 Mon Sep 17 00:00:00 2001
619821
From: Gerd Hoffmann <kraxel@redhat.com>
619821
Date: Wed, 22 Feb 2017 12:36:26 +0100
619821
Subject: [PATCH 08/24] vnc: fix overflow in vnc_update_stats
619821
MIME-Version: 1.0
619821
Content-Type: text/plain; charset=UTF-8
619821
Content-Transfer-Encoding: 8bit
619821
619821
RH-Author: Gerd Hoffmann <kraxel@redhat.com>
619821
Message-id: <1487766986-6329-9-git-send-email-kraxel@redhat.com>
619821
Patchwork-id: 73975
619821
O-Subject: [RHEL-7.4 qemu-kvm PATCH 8/8] vnc: fix overflow in vnc_update_stats
619821
Bugzilla: 1377977
619821
RH-Acked-by: Thomas Huth <thuth@redhat.com>
619821
RH-Acked-by: Marc-André Lureau <mlureau@redhat.com>
619821
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
619821
619821
Commit "bea60dd ui/vnc: fix potential memory corruption issues" is
619821
incomplete.  vnc_update_stats must calculate width and height the same
619821
way vnc_refresh_server_surface does it, to make sure we don't use width
619821
and height values larger than the qemu vnc server can handle.
619821
619821
Commit "e22492d ui/vnc: disable adaptive update calculations if not
619821
needed" masks the issue in the default configuration.  It triggers only
619821
in case the "lossy" option is set to "on" (default is "off").
619821
619821
Cc: Marc-André Lureau <marcandre.lureau@redhat.com>
619821
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
619821
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
619821
Message-id: 1485248428-575-1-git-send-email-kraxel@redhat.com
619821
(cherry picked from commit eebe0b7905642a986cbce7406d6ab7bf78f3e210)
619821
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
619821
---
619821
 ui/vnc.c | 6 ++++--
619821
 1 file changed, 4 insertions(+), 2 deletions(-)
619821
619821
diff --git a/ui/vnc.c b/ui/vnc.c
619821
index d0ada7e..b68918e 100644
619821
--- a/ui/vnc.c
619821
+++ b/ui/vnc.c
619821
@@ -2581,8 +2581,10 @@ static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
619821
 
619821
 static int vnc_update_stats(VncDisplay *vd,  struct timeval * tv)
619821
 {
619821
-    int width = pixman_image_get_width(vd->guest.fb);
619821
-    int height = pixman_image_get_height(vd->guest.fb);
619821
+    int width = MIN(pixman_image_get_width(vd->guest.fb),
619821
+                    pixman_image_get_width(vd->server));
619821
+    int height = MIN(pixman_image_get_height(vd->guest.fb),
619821
+                     pixman_image_get_height(vd->server));
619821
     int x, y;
619821
     struct timeval res;
619821
     int has_dirty = 0;
619821
-- 
619821
1.8.3.1
619821