diff options
author | Gerd Hoffmann <kraxel@redhat.com> | 2015-06-09 21:08:47 +0200 |
---|---|---|
committer | Michael Roth <mdroth@linux.vnet.ibm.com> | 2015-07-29 18:34:12 -0500 |
commit | c270245a53d6706131307673cb082826719228d1 (patch) | |
tree | 088a8a5aaa85f1ba7dad93c4b8ecf1d880986967 | |
parent | 9272707a1f64c06697360c63a0eb1acc3e45f11b (diff) | |
download | qemu-c270245a53d6706131307673cb082826719228d1.zip qemu-c270245a53d6706131307673cb082826719228d1.tar.gz qemu-c270245a53d6706131307673cb082826719228d1.tar.bz2 |
spice-display: fix segfault in qemu_spice_create_update
Although it is pretty unusual the stride for the guest image and the
mirror image maintained by spice-display can be different. So use
separate variables for them.
https://bugzilla.redhat.com/show_bug.cgi?id=1163047
Cc: qemu-stable@nongnu.org
Reported-by: perrier vincent <clownix@clownix.net>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit c6e484707f28b3e115e64122a0570f6b3c585489)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-rw-r--r-- | ui/spice-display.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/ui/spice-display.c b/ui/spice-display.c index 1644185..5935564 100644 --- a/ui/spice-display.c +++ b/ui/spice-display.c @@ -199,7 +199,7 @@ static void qemu_spice_create_update(SimpleSpiceDisplay *ssd) static const int blksize = 32; int blocks = (surface_width(ssd->ds) + blksize - 1) / blksize; int dirty_top[blocks]; - int y, yoff, x, xoff, blk, bw; + int y, yoff1, yoff2, x, xoff, blk, bw; int bpp = surface_bytes_per_pixel(ssd->ds); uint8_t *guest, *mirror; @@ -214,13 +214,14 @@ static void qemu_spice_create_update(SimpleSpiceDisplay *ssd) guest = surface_data(ssd->ds); mirror = (void *)pixman_image_get_data(ssd->mirror); for (y = ssd->dirty.top; y < ssd->dirty.bottom; y++) { - yoff = y * surface_stride(ssd->ds); + yoff1 = y * surface_stride(ssd->ds); + yoff2 = y * pixman_image_get_stride(ssd->mirror); for (x = ssd->dirty.left; x < ssd->dirty.right; x += blksize) { xoff = x * bpp; blk = x / blksize; bw = MIN(blksize, ssd->dirty.right - x); - if (memcmp(guest + yoff + xoff, - mirror + yoff + xoff, + if (memcmp(guest + yoff1 + xoff, + mirror + yoff2 + xoff, bw * bpp) == 0) { if (dirty_top[blk] != -1) { QXLRect update = { |