Line | |
---|
1 | # HG changeset patch |
---|
2 | # User Steven Smith <ssmith@xensource.com> |
---|
3 | # Node ID ca3abb3804f4400b24037a4366cb2ca5e51ed742 |
---|
4 | # Parent 7fca81d456b2cb40d4effe2492f7ed1aafd32f52 |
---|
5 | [HVM][VNC] Make sure that qemu doesn't go into an infinite loop when |
---|
6 | it receives certain invalid requests from the viewer. |
---|
7 | |
---|
8 | Signed-off-by: Steven Smith <sos22@cam.ac.uk> |
---|
9 | |
---|
10 | Index: ioemu/vnc.c |
---|
11 | =================================================================== |
---|
12 | --- ioemu.orig/vnc.c 2006-12-06 23:46:11.000000000 +0000 |
---|
13 | +++ ioemu/vnc.c 2006-12-06 23:46:11.000000000 +0000 |
---|
14 | @@ -26,6 +26,7 @@ |
---|
15 | |
---|
16 | #include "vl.h" |
---|
17 | #include "qemu_socket.h" |
---|
18 | +#include <assert.h> |
---|
19 | |
---|
20 | #define VNC_REFRESH_INTERVAL (1000 / 30) |
---|
21 | |
---|
22 | @@ -679,8 +680,10 @@ |
---|
23 | memmove(vs->input.buffer, vs->input.buffer + len, |
---|
24 | vs->input.offset - len); |
---|
25 | vs->input.offset -= len; |
---|
26 | - } else |
---|
27 | + } else { |
---|
28 | + assert(ret > vs->read_handler_expect); |
---|
29 | vs->read_handler_expect = ret; |
---|
30 | + } |
---|
31 | } |
---|
32 | } |
---|
33 | |
---|
34 | @@ -963,8 +966,12 @@ |
---|
35 | if (len == 1) |
---|
36 | return 4; |
---|
37 | |
---|
38 | - if (len == 4) |
---|
39 | - return 4 + (read_u16(data, 2) * 4); |
---|
40 | + if (len == 4) { |
---|
41 | + uint16_t v; |
---|
42 | + v = read_u16(data, 2); |
---|
43 | + if (v) |
---|
44 | + return 4 + v * 4; |
---|
45 | + } |
---|
46 | |
---|
47 | limit = read_u16(data, 2); |
---|
48 | for (i = 0; i < limit; i++) { |
---|
49 | @@ -998,8 +1005,12 @@ |
---|
50 | if (len == 1) |
---|
51 | return 8; |
---|
52 | |
---|
53 | - if (len == 8) |
---|
54 | - return 8 + read_u32(data, 4); |
---|
55 | + if (len == 8) { |
---|
56 | + uint32_t v; |
---|
57 | + v = read_u32(data, 4); |
---|
58 | + if (v) |
---|
59 | + return 8 + v; |
---|
60 | + } |
---|
61 | |
---|
62 | client_cut_text(vs, read_u32(data, 4), data + 8); |
---|
63 | break; |
---|
Note: See
TracBrowser
for help on using the repository browser.