Blob Blame History Raw
From bf968572d1f7a0052df2615b69b361b0ec652a29 Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Mon, 17 Jun 2019 17:12:17 +0100
Subject: [PATCH spice-server] display-channel: Avoid potential crash from
 buggy guest driver

This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1582137.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Snir Sheriber <ssheribe@redhat.com>
---
 server/display-channel.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/server/display-channel.c b/server/display-channel.c
index 071c01409..7ddd44c14 100644
--- a/server/display-channel.c
+++ b/server/display-channel.c
@@ -2032,7 +2032,11 @@ void display_channel_update(DisplayChannel *display,
     SpiceRect rect;
     RedSurface *surface;
 
-    spice_return_if_fail(display_channel_validate_surface(display, surface_id));
+    // Check that the request is valid, the surface_id comes directly from the guest
+    if (!display_channel_validate_surface(display, surface_id)) {
+        // just return, display_channel_validate_surface already logged a warning
+        return;
+    }
 
     red_get_rect_ptr(&rect, area);
     display_channel_draw(display, &rect, surface_id);
-- 
2.20.1