[Qemu-stable] [PATCH 24/53] spice-display: fix segfault in qemu_spice

qemu-stable

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-stable] [PATCH 24/53] spice-display: fix segfault in qemu_spice_cr

From:	Michael Roth
Subject:	[Qemu-stable] [PATCH 24/53] spice-display: fix segfault in qemu_spice_create_update
Date:	Thu, 30 Jul 2015 06:32:39 -0500

From: Gerd Hoffmann <address@hidden>

Although it is pretty unusual the stride for the guest image and the
mirror image maintained by spice-display can be different.  So use
separate variables for them.

https://bugzilla.redhat.com/show_bug.cgi?id=1163047

Cc: address@hidden
Reported-by: perrier vincent <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit c6e484707f28b3e115e64122a0570f6b3c585489)
Signed-off-by: Michael Roth <address@hidden>
---
 ui/spice-display.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/ui/spice-display.c b/ui/spice-display.c
index 1644185..5935564 100644
--- a/ui/spice-display.c
+++ b/ui/spice-display.c
@@ -199,7 +199,7 @@ static void qemu_spice_create_update(SimpleSpiceDisplay 
*ssd)
     static const int blksize = 32;
     int blocks = (surface_width(ssd->ds) + blksize - 1) / blksize;
     int dirty_top[blocks];
-    int y, yoff, x, xoff, blk, bw;
+    int y, yoff1, yoff2, x, xoff, blk, bw;
     int bpp = surface_bytes_per_pixel(ssd->ds);
     uint8_t *guest, *mirror;
 
@@ -214,13 +214,14 @@ static void qemu_spice_create_update(SimpleSpiceDisplay 
*ssd)
     guest = surface_data(ssd->ds);
     mirror = (void *)pixman_image_get_data(ssd->mirror);
     for (y = ssd->dirty.top; y < ssd->dirty.bottom; y++) {
-        yoff = y * surface_stride(ssd->ds);
+        yoff1 = y * surface_stride(ssd->ds);
+        yoff2 = y * pixman_image_get_stride(ssd->mirror);
         for (x = ssd->dirty.left; x < ssd->dirty.right; x += blksize) {
             xoff = x * bpp;
             blk = x / blksize;
             bw = MIN(blksize, ssd->dirty.right - x);
-            if (memcmp(guest + yoff + xoff,
-                       mirror + yoff + xoff,
+            if (memcmp(guest + yoff1 + xoff,
+                       mirror + yoff2 + xoff,
                        bw * bpp) == 0) {
                 if (dirty_top[blk] != -1) {
                     QXLRect update = {
-- 
1.9.1

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-stable] [PATCH 18/53] kbd: add brazil kbd keys to x11 evdev map, (continued)
- [Qemu-stable] [PATCH 18/53] kbd: add brazil kbd keys to x11 evdev map, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 20/53] iotests: qcow2 COW with minimal L2 cache size, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 16/53] qga/commands-posix: Fix bug in guest-fstrim, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 01/53] bt-sdp: fix broken uuids power-of-2 calculation, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 17/53] kbd: add brazil kbd keys to qemu, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 21/53] vmdk: Fix index_in_cluster calculation in vmdk_co_get_block_status, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 19/53] qcow2: Set MIN_L2_CACHE_SIZE to 2, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 23/53] sdl2: fix crash in handle_windowevent() when restoring the screen size, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 22/53] vmdk: Use vmdk_find_index_in_cluster everywhere, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 25/53] i8254: fix out-of-bounds memory access in pit_ioport_read(), Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 24/53] spice-display: fix segfault in qemu_spice_create_update, Michael Roth <=
- [Qemu-stable] [PATCH 26/53] hw/core: rebase sysbus_get_fw_dev_path() to g_strdup_printf(), Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 28/53] virtio-ccw: complete handling of guest-initiated resets, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 27/53] vhost: correctly pass error to caller in vhost_dev_enable_notifiers(), Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 29/53] block: Add bdrv_get_block_status_above, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 32/53] block: Fix dirty bitmap in bdrv_co_discard, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 33/53] qemu-iotests: Make block job methods common, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 31/53] mirror: Do zero write on target if sectors not allocated, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 30/53] qmp: Add optional bool "unmap" to drive-mirror, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 34/53] qemu-iotests: Add test case for mirror with unmap, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 36/53] iotests: add QMP event waiting queue, Michael Roth, 2015/07/30

Prev by Date: [Qemu-stable] [PATCH 25/53] i8254: fix out-of-bounds memory access in pit_ioport_read()
Next by Date: [Qemu-stable] [PATCH 26/53] hw/core: rebase sysbus_get_fw_dev_path() to g_strdup_printf()
Previous by thread: [Qemu-stable] [PATCH 25/53] i8254: fix out-of-bounds memory access in pit_ioport_read()
Next by thread: [Qemu-stable] [PATCH 26/53] hw/core: rebase sysbus_get_fw_dev_path() to g_strdup_printf()
Index(es):
- Date
- Thread