diff options
| author | Stefan Weil <weil@mail.berlios.de> | 2011-03-03 21:37:55 +0100 |
|---|---|---|
| committer | Anthony Liguori <aliguori@us.ibm.com> | 2011-03-10 16:12:25 -0600 |
| commit | 23bfe28fffd6fff12a39c1ff7274b0dfdecbfa38 (patch) | |
| tree | 9d9e19536b3781019e61e068b33b4e86e960f4d4 /ui/vnc.h | |
| parent | 2ea720dba50a4e95a641dd69b0a9864b315868c2 (diff) | |
| download | focaccia-qemu-23bfe28fffd6fff12a39c1ff7274b0dfdecbfa38.tar.gz focaccia-qemu-23bfe28fffd6fff12a39c1ff7274b0dfdecbfa38.zip | |
vnc: Fix stack corruption and other bitmap related bugs
Commit bc2429b9174ac2d3c56b7fd35884b0d89ec7fb02 introduced a severe bug (stack corruption). bitmap_clear was called with a wrong argument which caused out-of-bound writes to the local variable width_mask. This bug was detected with QEMU running on windows. It also occurs with wine: *** stack smashing detected ***: terminated wine: Unhandled illegal instruction at address 0x6115c7 (thread 0009), starting debugger... The bug is not windows specific! Instead of fixing the wrong parameter value, bitmap_clear(), bitmap_set and width_mask were removed, and bitmap_intersect() was replaced by !bitmap_empty(). The new operation is much shorter and equivalent to the old operations. The declarations of the dirty bitmaps in vnc.h were also wrong for 64 bit hosts because of a rounding effect: for these hosts, VNC_MAX_WIDTH is no longer a multiple of (16 * BITS_PER_LONG), so the rounded value of VNC_DIRTY_WORDS was too small. Fix both declarations by using the macro which is designed for this purpose. Cc: Corentin Chary <corentincj@iksaif.net> Cc: Wen Congyang <wency@cn.fujitsu.com> Cc: Gerhard Wiesinger <lists@wiesinger.com> Cc: Anthony Liguori <aliguori@us.ibm.com> Signed-off-by: Stefan Weil <weil@mail.berlios.de> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Diffstat (limited to 'ui/vnc.h')
| -rw-r--r-- | ui/vnc.h | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/ui/vnc.h b/ui/vnc.h index 8a1e7b939e..f10c5dc4e0 100644 --- a/ui/vnc.h +++ b/ui/vnc.h @@ -79,9 +79,12 @@ typedef void VncSendHextileTile(VncState *vs, void *last_fg, int *has_bg, int *has_fg); +/* VNC_MAX_WIDTH must be a multiple of 16. */ #define VNC_MAX_WIDTH 2560 #define VNC_MAX_HEIGHT 2048 -#define VNC_DIRTY_WORDS (VNC_MAX_WIDTH / (16 * BITS_PER_LONG)) + +/* VNC_DIRTY_BITS is the number of bits in the dirty bitmap. */ +#define VNC_DIRTY_BITS (VNC_MAX_WIDTH / 16) #define VNC_STAT_RECT 64 #define VNC_STAT_COLS (VNC_MAX_WIDTH / VNC_STAT_RECT) @@ -114,7 +117,7 @@ typedef struct VncRectStat VncRectStat; struct VncSurface { struct timeval last_freq_check; - unsigned long dirty[VNC_MAX_HEIGHT][VNC_DIRTY_WORDS]; + DECLARE_BITMAP(dirty[VNC_MAX_HEIGHT], VNC_MAX_WIDTH / 16); VncRectStat stats[VNC_STAT_ROWS][VNC_STAT_COLS]; DisplaySurface *ds; }; @@ -234,7 +237,7 @@ struct VncState int csock; DisplayState *ds; - unsigned long dirty[VNC_MAX_HEIGHT][VNC_DIRTY_WORDS]; + DECLARE_BITMAP(dirty[VNC_MAX_HEIGHT], VNC_DIRTY_BITS); uint8_t **lossy_rect; /* Not an Array to avoid costly memcpy in * vnc-jobs-async.c */ |