From 125cf24347a04648d36017d52d57a32675bfb6c6 Mon Sep 17 00:00:00 2001
From: Cole Robinson <crobinso@redhat.com>
Date: Dec 08 2015 15:53:39 +0000
Subject: vnc: avoid floating point exceptions (bz #1289541, bz #1289542)


---

diff --git a/0026-ui-vnc-avoid-floating-point-exception.patch b/0026-ui-vnc-avoid-floating-point-exception.patch
new file mode 100644
index 0000000..849a23b
--- /dev/null
+++ b/0026-ui-vnc-avoid-floating-point-exception.patch
@@ -0,0 +1,41 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 3 Dec 2015 18:54:17 +0530
+Subject: [PATCH] ui: vnc: avoid floating point exception
+
+While sending 'SetPixelFormat' messages to a VNC server,
+the client could set the 'red-max', 'green-max' and 'blue-max'
+values to be zero. This leads to a floating point exception in
+write_png_palette while doing frame buffer updates.
+
+Reported-by: Lian Yihan <lianyihan@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+(cherry picked from commit 4c65fed8bdf96780735dbdb92a8bd0d6b6526cc3)
+---
+ ui/vnc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/ui/vnc.c b/ui/vnc.c
+index 472c30e..66c5494 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -2205,15 +2205,15 @@ static void set_pixel_format(VncState *vs,
+         return;
+     }
+ 
+-    vs->client_pf.rmax = red_max;
++    vs->client_pf.rmax = red_max ? red_max : 0xFF;
+     vs->client_pf.rbits = hweight_long(red_max);
+     vs->client_pf.rshift = red_shift;
+     vs->client_pf.rmask = red_max << red_shift;
+-    vs->client_pf.gmax = green_max;
++    vs->client_pf.gmax = green_max ? green_max : 0xFF;
+     vs->client_pf.gbits = hweight_long(green_max);
+     vs->client_pf.gshift = green_shift;
+     vs->client_pf.gmask = green_max << green_shift;
+-    vs->client_pf.bmax = blue_max;
++    vs->client_pf.bmax = blue_max ? blue_max : 0xFF;
+     vs->client_pf.bbits = hweight_long(blue_max);
+     vs->client_pf.bshift = blue_shift;
+     vs->client_pf.bmask = blue_max << blue_shift;
diff --git a/qemu.spec b/qemu.spec
index 926f75e..ad1e00a 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -43,7 +43,7 @@
 Summary: QEMU is a FAST! processor emulator
 Name: qemu
 Version: 2.3.1
-Release: 8%{?dist}
+Release: 9%{?dist}
 Epoch: 2
 License: GPLv2+ and LGPLv2+ and BSD
 Group: Development/Tools
@@ -124,6 +124,8 @@ Patch0023: 0023-eepro100-Prevent-two-endless-loops.patch
 Patch0024: 0024-net-pcnet-add-check-to-validate-receive-data-size-CV.patch
 # CVE-2015-7512: Fix buffer overflow in pcnet (bz #1286549)
 Patch0025: 0025-pcnet-fix-rx-buffer-overflow-CVE-2015-7512.patch
+# vnc: avoid floating point exceptions (bz #1289541, bz #1289542)
+Patch0026: 0026-ui-vnc-avoid-floating-point-exception.patch
 
 BuildRequires: SDL2-devel
 BuildRequires: zlib-devel
@@ -1226,6 +1228,9 @@ getent passwd qemu >/dev/null || \
 
 
 %changelog
+* Tue Dec 08 2015 Cole Robinson <crobinso@redhat.com> - 2:2.3.1-9
+- vnc: avoid floating point exceptions (bz #1289541, bz #1289542)
+
 * Mon Dec 07 2015 Cole Robinson <crobinso@redhat.com> - 2:2.3.1-8
 - Fix abort in abort in bdrv_error_action (bz #1277482)
 - Fix SSE4 emulation with accel=tcg (bz #1270703)