Getting colder with our second freeze... it's 3.31.91 release day and string freeze, upload a tarball and lock those strings 🏂

Commit f3fc5e57 authored by Daniel P. Berrange's avatar Daniel P. Berrange

Fix framebuffer update boundary check

Framebuffer boundary checks need to take into account offset,
in addition to width/height

* src/vncconnection.c: Fix boundary check
parent 5760a2a2
......@@ -2653,13 +2653,14 @@ static void vnc_connection_ext_key_event(VncConnection *conn)
static gboolean vnc_connection_validate_boundary(VncConnection *conn,
guint16 x, guint16 y,
guint16 width, guint16 height)
{
VncConnectionPrivate *priv = conn->priv;
if (width > priv->width || height > priv->height) {
VNC_DEBUG("Framebuffer update %dx%d outside boundary %dx%d",
width, height, priv->width, priv->height);
if ((x + width) > priv->width || (y + height) > priv->height) {
VNC_DEBUG("Framebuffer update %dx%d at %d,%d outside boundary %dx%d",
width, height, x, y, priv->width, priv->height);
priv->has_error = TRUE;
}
......@@ -2681,37 +2682,37 @@ static gboolean vnc_connection_framebuffer_update(VncConnection *conn, gint32 et
switch (etype) {
case VNC_CONNECTION_ENCODING_RAW:
if (!vnc_connection_validate_boundary(conn, width, height))
if (!vnc_connection_validate_boundary(conn, x, y, width, height))
break;
vnc_connection_raw_update(conn, x, y, width, height);
vnc_connection_update(conn, x, y, width, height);
break;
case VNC_CONNECTION_ENCODING_COPY_RECT:
if (!vnc_connection_validate_boundary(conn, width, height))
if (!vnc_connection_validate_boundary(conn, x, y, width, height))
break;
vnc_connection_copyrect_update(conn, x, y, width, height);
vnc_connection_update(conn, x, y, width, height);
break;
case VNC_CONNECTION_ENCODING_RRE:
if (!vnc_connection_validate_boundary(conn, width, height))
if (!vnc_connection_validate_boundary(conn, x, y, width, height))
break;
vnc_connection_rre_update(conn, x, y, width, height);
vnc_connection_update(conn, x, y, width, height);
break;
case VNC_CONNECTION_ENCODING_HEXTILE:
if (!vnc_connection_validate_boundary(conn, width, height))
if (!vnc_connection_validate_boundary(conn, x, y, width, height))
break;
vnc_connection_hextile_update(conn, x, y, width, height);
vnc_connection_update(conn, x, y, width, height);
break;
case VNC_CONNECTION_ENCODING_ZRLE:
if (!vnc_connection_validate_boundary(conn, width, height))
if (!vnc_connection_validate_boundary(conn, x, y, width, height))
break;
vnc_connection_zrle_update(conn, x, y, width, height);
vnc_connection_update(conn, x, y, width, height);
break;
case VNC_CONNECTION_ENCODING_TIGHT:
if (!vnc_connection_validate_boundary(conn, width, height))
if (!vnc_connection_validate_boundary(conn, x, y, width, height))
break;
vnc_connection_tight_update(conn, x, y, width, height);
vnc_connection_update(conn, x, y, width, height);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment