@@ -1410,10 +1410,10 @@ static void pointer_event(VncState *vs, int button_mask,
dz = 1;
if (vs->absolute) {
- kbd_mouse_event(ds_get_width(vs->ds) > 1 ?
- x * 0x7FFF / (ds_get_width(vs->ds) - 1) : 0x4000,
- ds_get_height(vs->ds) > 1 ?
- y * 0x7FFF / (ds_get_height(vs->ds) - 1) : 0x4000,
+ int width = ds_get_width(vs->ds);
+ int height = ds_get_height(vs->ds);
+ kbd_mouse_event(width > 1 ? x * 0x7FFF / (width - 1) : 0x4000,
+ height > 1 ? y * 0x7FFF / (height - 1) : 0x4000,
dz, buttons);
} else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE)) {
x -= 0x7FFF;
cc39a92cbfc8 fixed a SIGFPE where the screen is resized to width/hight 1 and then receives a mouse click. However, there is a still a tiny window here for a race between the test for width/height > 1 and the division. Signed-off-by: Chris Webb <chris@arachsys.com> --- Sending this as I've just seen a SIGFPE from one of the qemu-kvm VMs running in our public-facing cluster. Running gdb on the resulting core dump pointed at line #1424 of vnc.c: 1423 if (vs->absolute) { 1424 kbd_mouse_event(ds_get_width(vs->ds) > 1 ? 1425 x * 0x7FFF / (ds_get_width(vs->ds) - 1) : 0x4000, 1426 ds_get_height(vs->ds) > 1 ? 1427 y * 0x7FFF / (ds_get_height(vs->ds) - 1) : 0x4000, 1428 dz, buttons); I think this must have been a (tight) race between the comparison and the division. This should probably go to the 0.12-stable branch too as that's where I saw the crash. I can send a rebased patch if that's more convenient? A pity this crash happened just after the release of 0.12.5 rather than a week or two earlier! ui/vnc.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-)