Re: [Qemu-devel] [PATCH 4/4] vnc: Limit r/w access to size of allocated memory

Sat, 09 Apr 2011 15:19:30 -0700 

On Mon, Mar 21, 2011 at 09:34:38AM +0100, Corentin Chary wrote:
> From: Stefan Weil <w...@mail.berlios.de>
> 
> This fixes memory reads and writes which exceeded the upper limit
> of allocated memory vd->guest.ds->data and vd->server->data.
> 
> Cc: Anthony Liguori <aligu...@us.ibm.com>
> Signed-off-by: Stefan Weil <w...@mail.berlios.de>
> Signed-off-by: Corentin Chary <corentin.ch...@gmail.com>
> ---
>  ui/vnc.c |    3 +++
>  1 files changed, 3 insertions(+), 0 deletions(-)
> 
> diff --git a/ui/vnc.c b/ui/vnc.c
> index 90b6384..3138053 100644
> --- a/ui/vnc.c
> +++ b/ui/vnc.c
> @@ -2414,6 +2414,9 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
>       * Update server dirty map.
>       */
>      cmp_bytes = 16 * ds_get_bytes_per_pixel(vd->ds);
> +    if (cmp_bytes > vd->ds->surface->linesize) {
> +        cmp_bytes = vd->ds->surface->linesize;
> +    }

What about using ds_get_linesize(vd->ds) instead?

>      guest_row  = vd->guest.ds->data;
>      server_row = vd->server->data;
>      for (y = 0; y < vd->guest.ds->height; y++) {
> -- 
> 1.7.3.4
> 
> 
> 

-- 
Aurelien Jarno                          GPG: 1024D/F1BCDB73
aurel...@aurel32.net                 http://www.aurel32.net

Reply via email to