Patchwork [4/4] vnc: Limit r/w access to size of allocated memory

login
register
mail settings
Submitter Corentin Chary
Date March 21, 2011, 8:34 a.m.
Message ID <1300696478-6051-5-git-send-email-corentin.chary@gmail.com>
Download mbox | patch
Permalink /patch/87716/
State New
Headers show

Comments

Corentin Chary - March 21, 2011, 8:34 a.m.
From: Stefan Weil <weil@mail.berlios.de>

This fixes memory reads and writes which exceeded the upper limit
of allocated memory vd->guest.ds->data and vd->server->data.

Cc: Anthony Liguori <aliguori@us.ibm.com>
Signed-off-by: Stefan Weil <weil@mail.berlios.de>
Signed-off-by: Corentin Chary <corentin.chary@gmail.com>
---
 ui/vnc.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)
Aurelien Jarno - April 9, 2011, 10:17 p.m.
On Mon, Mar 21, 2011 at 09:34:38AM +0100, Corentin Chary wrote:
> From: Stefan Weil <weil@mail.berlios.de>
> 
> This fixes memory reads and writes which exceeded the upper limit
> of allocated memory vd->guest.ds->data and vd->server->data.
> 
> Cc: Anthony Liguori <aliguori@us.ibm.com>
> Signed-off-by: Stefan Weil <weil@mail.berlios.de>
> Signed-off-by: Corentin Chary <corentin.chary@gmail.com>
> ---
>  ui/vnc.c |    3 +++
>  1 files changed, 3 insertions(+), 0 deletions(-)
> 
> diff --git a/ui/vnc.c b/ui/vnc.c
> index 90b6384..3138053 100644
> --- a/ui/vnc.c
> +++ b/ui/vnc.c
> @@ -2414,6 +2414,9 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
>       * Update server dirty map.
>       */
>      cmp_bytes = 16 * ds_get_bytes_per_pixel(vd->ds);
> +    if (cmp_bytes > vd->ds->surface->linesize) {
> +        cmp_bytes = vd->ds->surface->linesize;
> +    }

What about using ds_get_linesize(vd->ds) instead?

>      guest_row  = vd->guest.ds->data;
>      server_row = vd->server->data;
>      for (y = 0; y < vd->guest.ds->height; y++) {
> -- 
> 1.7.3.4
> 
> 
>
Stefan Weil - April 10, 2011, 6:28 a.m.
Am 10.04.2011 00:17, schrieb Aurelien Jarno:
> On Mon, Mar 21, 2011 at 09:34:38AM +0100, Corentin Chary wrote:
>> From: Stefan Weil <weil@mail.berlios.de>
>>
>> This fixes memory reads and writes which exceeded the upper limit
>> of allocated memory vd->guest.ds->data and vd->server->data.
>>
>> Cc: Anthony Liguori <aliguori@us.ibm.com>
>> Signed-off-by: Stefan Weil <weil@mail.berlios.de>
>> Signed-off-by: Corentin Chary <corentin.chary@gmail.com>
>> ---
>> ui/vnc.c | 3 +++
>> 1 files changed, 3 insertions(+), 0 deletions(-)
>>
>> diff --git a/ui/vnc.c b/ui/vnc.c
>> index 90b6384..3138053 100644
>> --- a/ui/vnc.c
>> +++ b/ui/vnc.c
>> @@ -2414,6 +2414,9 @@ static int 
>> vnc_refresh_server_surface(VncDisplay *vd)
>> * Update server dirty map.
>> */
>> cmp_bytes = 16 * ds_get_bytes_per_pixel(vd->ds);
>> + if (cmp_bytes > vd->ds->surface->linesize) {
>> + cmp_bytes = vd->ds->surface->linesize;
>> + }
>
> What about using ds_get_linesize(vd->ds) instead?

Yes, that's better. Please either change the two lines, or
wait until I have sent a new version of the patch.

The patch should be applied to stable, too.

Thanks,
Stefan

Patch

diff --git a/ui/vnc.c b/ui/vnc.c
index 90b6384..3138053 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -2414,6 +2414,9 @@  static int vnc_refresh_server_surface(VncDisplay *vd)
      * Update server dirty map.
      */
     cmp_bytes = 16 * ds_get_bytes_per_pixel(vd->ds);
+    if (cmp_bytes > vd->ds->surface->linesize) {
+        cmp_bytes = vd->ds->surface->linesize;
+    }
     guest_row  = vd->guest.ds->data;
     server_row = vd->server->data;
     for (y = 0; y < vd->guest.ds->height; y++) {