|
 |
9ae3a8 |
From 8c2d53ffb72c574d0c81e2c86115a18598e66c65 Mon Sep 17 00:00:00 2001
|
|
|
9ae3a8 |
From: Gerd Hoffmann <kraxel@redhat.com>
|
|
|
9ae3a8 |
Date: Wed, 22 Feb 2017 12:36:26 +0100
|
|
|
9ae3a8 |
Subject: [PATCH 08/24] vnc: fix overflow in vnc_update_stats
|
|
|
9ae3a8 |
MIME-Version: 1.0
|
|
|
9ae3a8 |
Content-Type: text/plain; charset=UTF-8
|
|
|
9ae3a8 |
Content-Transfer-Encoding: 8bit
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
RH-Author: Gerd Hoffmann <kraxel@redhat.com>
|
|
|
9ae3a8 |
Message-id: <1487766986-6329-9-git-send-email-kraxel@redhat.com>
|
|
|
9ae3a8 |
Patchwork-id: 73975
|
|
|
9ae3a8 |
O-Subject: [RHEL-7.4 qemu-kvm PATCH 8/8] vnc: fix overflow in vnc_update_stats
|
|
|
9ae3a8 |
Bugzilla: 1377977
|
|
|
9ae3a8 |
RH-Acked-by: Thomas Huth <thuth@redhat.com>
|
|
|
9ae3a8 |
RH-Acked-by: Marc-André Lureau <mlureau@redhat.com>
|
|
|
9ae3a8 |
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
Commit "bea60dd ui/vnc: fix potential memory corruption issues" is
|
|
|
9ae3a8 |
incomplete. vnc_update_stats must calculate width and height the same
|
|
|
9ae3a8 |
way vnc_refresh_server_surface does it, to make sure we don't use width
|
|
|
9ae3a8 |
and height values larger than the qemu vnc server can handle.
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
Commit "e22492d ui/vnc: disable adaptive update calculations if not
|
|
|
9ae3a8 |
needed" masks the issue in the default configuration. It triggers only
|
|
|
9ae3a8 |
in case the "lossy" option is set to "on" (default is "off").
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
Cc: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
|
9ae3a8 |
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
|
9ae3a8 |
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
|
9ae3a8 |
Message-id: 1485248428-575-1-git-send-email-kraxel@redhat.com
|
|
|
9ae3a8 |
(cherry picked from commit eebe0b7905642a986cbce7406d6ab7bf78f3e210)
|
|
|
9ae3a8 |
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
9ae3a8 |
---
|
|
|
9ae3a8 |
ui/vnc.c | 6 ++++--
|
|
|
9ae3a8 |
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
diff --git a/ui/vnc.c b/ui/vnc.c
|
|
|
9ae3a8 |
index d0ada7e..b68918e 100644
|
|
|
9ae3a8 |
--- a/ui/vnc.c
|
|
|
9ae3a8 |
+++ b/ui/vnc.c
|
|
|
9ae3a8 |
@@ -2581,8 +2581,10 @@ static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
|
|
|
9ae3a8 |
|
|
|
9ae3a8 |
static int vnc_update_stats(VncDisplay *vd, struct timeval * tv)
|
|
|
9ae3a8 |
{
|
|
|
9ae3a8 |
- int width = pixman_image_get_width(vd->guest.fb);
|
|
|
9ae3a8 |
- int height = pixman_image_get_height(vd->guest.fb);
|
|
|
9ae3a8 |
+ int width = MIN(pixman_image_get_width(vd->guest.fb),
|
|
|
9ae3a8 |
+ pixman_image_get_width(vd->server));
|
|
|
9ae3a8 |
+ int height = MIN(pixman_image_get_height(vd->guest.fb),
|
|
|
9ae3a8 |
+ pixman_image_get_height(vd->server));
|
|
|
9ae3a8 |
int x, y;
|
|
|
9ae3a8 |
struct timeval res;
|
|
|
9ae3a8 |
int has_dirty = 0;
|
|
|
9ae3a8 |
--
|
|
|
9ae3a8 |
1.8.3.1
|
|
|
9ae3a8 |
|