Commit 503b3b33 authored by Gerd Hoffmann's avatar Gerd Hoffmann
Browse files

qxl-render: add more sanity checks 

Damn, the dirty rectangle values are signed integers.  So the checks
added by commit 788fbf04 are not good
enough, we also have to make sure they are not negative.

[ Note: There must be something broken in spice-server so we get
  negative values in the first place.  Bug opened:
  https://bugzilla.redhat.com/show_bug.cgi?id=1135372

 ]

Cc: qemu-stable@nongnu.org
Signed-off-by: default avatarGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: default avatarDr. David Alan Gilbert <dgilbert@redhat.com>
parent 8b303011

hw/display/qxl-render.c

+3 −1
Original line number Diff line number Diff line
@@ -138,7 +138,9 @@ static void qxl_render_update_area_unlocked(PCIQXLDevice *qxl) 
        if (qemu_spice_rect_is_empty(qxl->dirty+i)) {

            break;

        }

        if (qxl->dirty[i].left > qxl->dirty[i].right ||

        if (qxl->dirty[i].left < 0 ||

            qxl->dirty[i].top < 0 ||

            qxl->dirty[i].left > qxl->dirty[i].right ||

            qxl->dirty[i].top > qxl->dirty[i].bottom ||

            qxl->dirty[i].right > qxl->guest_primary.surface.width ||

            qxl->dirty[i].bottom > qxl->guest_primary.surface.height) {