Derived from

# HG changeset patch

# User Keir Fraser <keir.fraser@citrix.com>

# Date 1210687697 -3600

# Node ID 53195719f7621110dab7a97a2bca292b73baa715

# Parent  65eec0554f39049eab354abe1ee4c305f6d1e0aa

ioemu: Fix PVFB backend to validate frontend's frame buffer description

diff -rup a/tools/ioemu/hw/xenfb.c b/tools/ioemu/hw/xenfb.c

--- a/tools/ioemu/hw/xenfb.c	2008-04-22 18:51:35.000000000 +0200

+++ b/tools/ioemu/hw/xenfb.c	2008-04-22 18:52:07.000000000 +0200

@@ -23,8 +23,6 @@

 #define BTN_LEFT 0x110 /* from <linux/input.h> */

 #endif

-// FIXME defend against malicious frontend?

-

 struct xenfb;

 struct xenfb_device {

@@ -476,6 +474,56 @@ void xenfb_shutdown(struct xenfb *xenfb)

 	free(xenfb);

 }

+static int xenfb_configure_fb(struct xenfb *xenfb,

+			      int width, int height, int depth,

+			      size_t fb_len, int row_stride)

+{

+	size_t mfn_sz = sizeof(*((struct xenfb_page *)0)->pd);

+	size_t pd_len = sizeof(((struct xenfb_page *)0)->pd) / mfn_sz;

+	size_t fb_pages = pd_len * XC_PAGE_SIZE / mfn_sz;

+	size_t fb_len_lim = fb_pages * XC_PAGE_SIZE;

+	int max_width, max_height;

+

+	if (fb_len > fb_len_lim) {

+		fprintf(stderr,

+			"FB: frontend fb size %zu limited to %zu\n",

+			fb_len, fb_len_lim);

+		fb_len = fb_len_lim;

+	}

+	if (depth != 8 && depth != 16 && depth != 24 && depth != 32) {

+		fprintf(stderr,

+			"FB: can't handle frontend fb depth %d\n",

+			depth);

+		return -1;

+	}

+	if (row_stride < 0 || row_stride > fb_len) {

+		fprintf(stderr,

+			"FB: invalid frontend stride %d\n", row_stride);

+		return -1;

+	}

+	max_width = row_stride / (depth / 8);

+	if (width < 0 || width > max_width) {

+		fprintf(stderr,

+			"FB: invalid frontend width %d limited to %d\n",

+			width, max_width);

+		width = max_width;

+	}

+	max_height = fb_len / row_stride;

+	if (height < 0 || height > max_height) {

+		fprintf(stderr,

+			"FB: invalid frontend height %d limited to %d\n",

+			height, max_height);

+		height = max_height;

+	}

+	xenfb->fb_len = fb_len;

+	xenfb->row_stride = row_stride;

+	xenfb->depth = depth;

+	xenfb->width = width;

+	xenfb->height = height;

+	fprintf(stderr, "Framebuffer %dx%dx%d stride %d\n",

+		width, height, depth, row_stride);

+	return 0;

+}

 static void xenfb_on_fb_event(struct xenfb *xenfb)

 {

@@ -506,7 +553,6 @@ static void xenfb_on_fb_event(struct xen

 			    || h != event->update.height) {

 				fprintf(stderr, "%s bogus update clipped\n",

 					xenfb->fb.nodename);

-				break;

 			}

 			xenfb_guest_copy(xenfb, x, y, w, h);

 			break;

@@ -686,16 +732,15 @@ static int xenfb_read_frontend_fb_config

                 xenfb->protocol[0] = '\0';

         xenfb_xs_printf(xenfb->xsh, xenfb->fb.nodename, "request-update", "1");

-        /* TODO check for permitted ranges */

         fb_page = xenfb->fb.page;

-        xenfb->depth = fb_page->depth;

-        xenfb->width = fb_page->width;

-        xenfb->height = fb_page->height;

-        /* TODO check for consistency with the above */

-        xenfb->fb_len = fb_page->mem_length;

-        xenfb->row_stride = fb_page->line_length;

-        fprintf(stderr, "Framebuffer depth %d width %d height %d line %d\n",

-                fb_page->depth, fb_page->width, fb_page->height, fb_page->line_length);

+	if (xenfb_configure_fb(xenfb,

+			       fb_page->width, fb_page->height, fb_page->depth,

+			       fb_page->mem_length, fb_page->line_length)

+	    < 0) {

+		errno = EINVAL;

+		return -1;

+	}

+

         if (xenfb_map_fb(xenfb, xenfb->fb.otherend_id) < 0)

 		return -1;