[Spice-devel] [PATCH xf86-video-qxl v2] When uploading a region, do not go outside the source image size.

Fri, 19 Sep 2014 09:43:41 -0700 

This problem was exposed (and probably only occurs) when using XSpice
in dfps mode with spice-html5, and resizing from larger to smaller.
The screen would be resized, but the update region would still attempt
to transmit any pending changes to the (now) truncated surface.  This
would often lead to a crash.

Signed-off-by: Jeremy White <jwh...@codeweavers.com>
---
 src/qxl_image.c   |    2 ++
 src/qxl_surface.c |    9 ++++++---
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/qxl_image.c b/src/qxl_image.c
index 8927fd4..1975df6 100644
--- a/src/qxl_image.c
+++ b/src/qxl_image.c
@@ -62,6 +62,8 @@ hash_and_copy (const uint8_t *src, int src_stride,
        const uint8_t *src_line = src + i * src_stride;
        uint8_t *dest_line = dest + i * dest_stride;
        int n_bytes = width * bytes_per_pixel;
+       if (n_bytes > src_stride)
+           n_bytes = src_stride;
 
        if (dest)
            memcpy (dest_line, src_line, n_bytes);
diff --git a/src/qxl_surface.c b/src/qxl_surface.c
index 1075eae..72a7f88 100644
--- a/src/qxl_surface.c
+++ b/src/qxl_surface.c
@@ -290,10 +290,13 @@ upload_one_primary_region(qxl_screen_t *qxl, PixmapPtr 
pixmap, BoxPtr b)
     int stride;
     int bpp;
 
+    if (b->x1 >= qxl->virtual_x || b->y1 >= qxl->virtual_y)
+        return;
+
     rect.left = b->x1;
-    rect.right = b->x2;
+    rect.right = min(b->x2, qxl->virtual_x);
     rect.top = b->y1;
-    rect.bottom = b->y2;
+    rect.bottom = min(b->y2, qxl->virtual_y);
 
     drawable_bo = make_drawable (qxl, qxl->primary, QXL_DRAW_COPY, &rect);
     drawable = qxl->bo_funcs->bo_map(drawable_bo);
@@ -309,7 +312,7 @@ upload_one_primary_region(qxl_screen_t *qxl, PixmapPtr 
pixmap, BoxPtr b)
 
     fbGetPixmapBitsData(pixmap, data, stride, bpp);
     image_bo = qxl_image_create (
-       qxl, (const uint8_t *)data, b->x1, b->y1, b->x2 - b->x1, b->y2 - b->y1, 
stride * sizeof(*data),
+       qxl, (const uint8_t *)data, rect.left, rect.top, rect.right - 
rect.left, rect.bottom - rect.top, stride * sizeof(*data),
        bpp == 24 ? 4 : bpp / 8, TRUE);
     qxl->bo_funcs->bo_output_bo_reloc(qxl, offsetof(QXLDrawable, 
u.copy.src_bitmap),
                                   drawable_bo, image_bo);
-- 
1.7.10.4

_______________________________________________
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel

Reply via email to