aboutsummaryrefslogtreecommitdiff
path: root/ui/vnc.c
diff options
context:
space:
mode:
authorGerd Hoffmann <kraxel@redhat.com>2017-01-24 10:00:28 +0100
committerGerd Hoffmann <kraxel@redhat.com>2017-01-31 08:52:52 +0100
commiteebe0b7905642a986cbce7406d6ab7bf78f3e210 (patch)
tree8daffe2c375b3f097a0c1314a02a15092f5e5d42 /ui/vnc.c
parent51e0b654539d587f09fc23074d1ae2a9c7747b06 (diff)
downloadqemu-eebe0b7905642a986cbce7406d6ab7bf78f3e210.zip
qemu-eebe0b7905642a986cbce7406d6ab7bf78f3e210.tar.gz
qemu-eebe0b7905642a986cbce7406d6ab7bf78f3e210.tar.bz2
vnc: fix overflow in vnc_update_stats
Commit "bea60dd ui/vnc: fix potential memory corruption issues" is incomplete. vnc_update_stats must calculate width and height the same way vnc_refresh_server_surface does it, to make sure we don't use width and height values larger than the qemu vnc server can handle. Commit "e22492d ui/vnc: disable adaptive update calculations if not needed" masks the issue in the default configuration. It triggers only in case the "lossy" option is set to "on" (default is "off"). Cc: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-id: 1485248428-575-1-git-send-email-kraxel@redhat.com
Diffstat (limited to 'ui/vnc.c')
-rw-r--r--ui/vnc.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/ui/vnc.c b/ui/vnc.c
index 6854fdb..cdeb79c 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -2724,8 +2724,10 @@ static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y)
static int vnc_update_stats(VncDisplay *vd, struct timeval * tv)
{
- int width = pixman_image_get_width(vd->guest.fb);
- int height = pixman_image_get_height(vd->guest.fb);
+ int width = MIN(pixman_image_get_width(vd->guest.fb),
+ pixman_image_get_width(vd->server));
+ int height = MIN(pixman_image_get_height(vd->guest.fb),
+ pixman_image_get_height(vd->server));
int x, y;
struct timeval res;
int has_dirty = 0;