| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
Acked-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Jonathon Jongsma <jjongsma@redhat.com>
|
|
|
|
|
|
|
| |
Also remove some unused function parameters from
bitmap_get_graduality_level()
Acked-by: Jonathon Jongsma <jjongsma@redhat.com>
|
|
|
|
| |
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
|
|
|
|
|
|
|
|
| |
There was not check for data_size field so one could set data to
a small set of data and data_size much bigger than size of data
leading to buffer overflow.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
|
|
|
|
|
|
|
|
|
| |
The guest can attempt to increase the number of segments while
spice-server is reading them.
Make sure we don't copy more then the allocated segments.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
|
|
|
|
|
|
|
|
|
| |
start pointer points to a QXLPathSeg structure.
Before reading from the structure, make sure the structure is contained
in the memory range checked.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Limit number of chunks to a given amount to avoid guest trying to
allocate too much memory. Using circular or nested chunks lists
guest could try to allocate huge amounts of memory.
Considering the list can be infinite and guest can change data this
also prevents strange security attacks from guest.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
|
|
|
|
|
|
|
| |
Free linked list if client tries to do nasty things
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Do not read multiple times data from guest as this can be changed by
other guest vcpus. This causes races and security problems if these
data are used for buffer allocation or checks.
Actually, the 'data' member can't change during read as it is just a
pointer to a fixed array contained in qxl. However, this change will
make it clear that there can be no race condition.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If bpp is int the formula can lead to weird overflows. width and height
are uint16_t so the formula is:
size_t = u16 * (u16 * int + const_int) / const_int;
so it became
size_t = (int) u16 * ((int) u16 * int + const_int) / const_int;
However the (int) u16 * (int) u16 can then became negative to overflow.
Under 64 bit architectures size_t is 64 and int usually 32 so converting
this negative 32 bit number to a unsigned 64 bit lead to a very big
number as the signed is extended and then converted to unsigned.
Using unsigned arithmetic prevent extending the sign.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
|
|
|
|
|
|
|
| |
Do not read multiple time an array size that can be changed.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Do not read multiple times data from guest as this could be changed
by other vcpu threads.
This causes races and security problems if these data are used for
buffer allocation or checks.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
|
|
|
|
|
|
|
| |
Do not read multiple time an array size that can be changed.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
|
|
|
|
|
|
|
|
|
| |
The overflow may lead to buffer overflow as the row size computed from
width (bitmap->x) can be bigger than the size in bytes (bitmap->stride).
This can make spice-server accept the invalid sizes.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Not security risk as just for read.
However, this could be used to attempt integer overflows in the
following lines.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
|
|
|
|
|
|
|
|
| |
Check format is valid.
Check stride is at least the size of required bytes for a row.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Prevent integer overflow when computing image sizes.
Image index computations are done using 32 bit so this can cause easily
security issues. MAX_DATA_CHUNK is larger than the virtual
card limit, so this is not going to cause change in behaviours.
Comparing size calculation results with MAX_DATA_CHUNK will allow us to
catch overflows.
Prevent guest from allocating large amount of memory.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
|
|
|
|
|
|
| |
This limit will prevent guest trying to do nasty things and DoS to host.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
SpiceBitmap's stride is uint32_t.
from clang:
red_parse_qxl.c:452:41: error: taking the absolute value of unsigned
type 'uint32_t' (aka 'unsigned int') has no effect
bitmap_size = red->u.bitmap.y * abs(red->u.bitmap.stride);
^
|
| |
|
|
|
|
| |
This removes one extra space
|
|
|
|
|
|
|
|
| |
After eb09c25c, red_parse_qxl.c still has some spice_error() which
will kill the server even though the code is trying to return an error
when the spice_error() is hit.
This commit replaces these occurrences with a spice_warning() which
will not kill spice-server.
|
|
|
|
|
|
|
|
|
| |
bitmap_consistent should return true or false.
Currently it aborts instead of returning false, due to spice_error.
Replacing spice_error with spice_warning, provides information and returns
false, as expected.
This fixes Fedora bz#997932
|
|
|
|
| |
Only whitespace changes in this commit.
|
| |
|
| |
|
|
|
|
|
|
|
| |
Non rgb bitmaps are allowed to not have a palette in case they
are masks (which are 1BIT bitmaps).
Related: rhbz#864982
|
| |
|
|
|
|
|
| |
The bit calculation was wrong for all the paletted types by a factor of
between 8 and 1 (SPICE_BITMAP_FMT_{1,4,8}BIT_PLT_{LE,BE})
|
|
|
|
|
|
|
|
|
|
|
| |
Just checks stride vs width times bpp.
This fixes a potential abort on guest generated bad images in
glz_encoder.
Other files touched to move some consts to red_common, they are
static so no problem to be defined in both red_worker.c and
red_parse_qxl.c .
|
|
|
|
|
|
| |
In red-parse-qxl.c add support for parsing QXLComposite into
SpiceComposite. In red-worker.c add support for marshalling
SpiceComposite onto the wire.
|
|
|
|
|
|
| |
Graduality is irrelevant for A8 images, so instead of using RGB-ness
as a short-cut, add a new macro BITMAP_FMT_HAS_GRADUALITY() that
returns true for the existing RGB images, but false for A8.
|
| |
|
|
|
|
|
|
| |
prevents division by zero later (SIGFPE, Arithmetic exception) in
spice-common code, at spice-common/common/canvas_base.c:646
for both client and server (server only upon rendering).
|
|
|
|
| |
introduced by 2ec2dbc78a660ee4e3315f50c881d9e31a8e4fe2
|
| |
|
|
|
|
|
|
|
| |
Simplify keeping count of self_bitmap_image by putting it in
RedDrawable. It is allocated on reading from the command pipe and
deallocated when the last reference to the RedDrawable is dropped,
instead of keeping track of it in GlzDrawable and Drawable.
|
|
|
|
|
|
|
| |
This patch changed getvirt to continue working even if spice_critical
doesn't abort (i.e. SPICE_ABORT_LEVEL != -1). This is in preparation to
make getvirt not abort at all. The reason is that getvirt is run on
guest provided memory, so a bad driver can crash the vm.
|
|
|
|
|
| |
It will abort by default for critical level messages. That behaviour
can be tuned at runtime.
|
|
|
|
| |
Remove any blank lines at the end of all source files
|
|
|
|
|
| |
The free() function allows NULL to be passed in, so any
code which puts a if() before free() is wasting time
|
|
|
|
|
|
|
| |
Also fixup the header of server/red_parse_qxl.c, which still contained
some GPL (program rather then library) text in its header.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new _ASYNC io's in qxl_dev listed at the end get six new api
functions, and an additional callback function "async_complete". When
the async version of a specific io is used, completion is notified by
calling async_complete, and no READY message is written or expected by
the dispatcher.
update_area has been changed to push QXLRects to the worker thread, where
the conversion to SpiceRect takes place.
A cookie has been added to each async call to QXLWorker, and is passed back via
async_complete.
Added api:
QXLWorker:
update_area_async
add_memslot_async
destroy_surfaces_async
destroy_primary_surface_async
create_primary_surface_async
destroy_surface_wait_async
QXLInterface:
async_complete
|
|
|
|
|
|
|
|
| |
When using config.h, it must be the very first include in all source
files since it contains #define that may change the compilation process
(eg libc structure layout changes when it's used to enable large file
support on 32 bit x86 archs). This commit adds it at the beginning
of all .c and .cpp files
|
|
|
|
|
| |
gcc 4.6.0 added "[-Werror=unused-but-set-variable]", this and the next
few fixes tend to that. Mostly harmless.
|
|
|
|
| |
This one mistakenly had a GPL header rather then an LGPL header.
|
|
|
|
|
| |
red_put_image() needs to free the chunks for QUIC images, as we
allocate these when creating the image.
|
|
|
|
|
| |
spice 0.4 guests pass 16bpp palette colors when running in
a 16bpp video mode. Convert them to 32bpp.
|
|
|
|
|
| |
spice 0.4 guests pass 16bpp colors for brushes when running in
a 16bpp video mode. Convert them to 32bpp.
|