mirror of
https://github.com/gnif/LookingGlass.git
synced 2024-11-25 23:07:18 +00:00
[client] added checks for invalid offsets by the guest
This commit is contained in:
parent
e2160a5eda
commit
bed2d95ccd
@ -50,6 +50,7 @@ struct AppState
|
|||||||
SDL_Window * window;
|
SDL_Window * window;
|
||||||
SDL_Renderer * renderer;
|
SDL_Renderer * renderer;
|
||||||
struct KVMGFXHeader * shm;
|
struct KVMGFXHeader * shm;
|
||||||
|
unsigned int shmSize;
|
||||||
};
|
};
|
||||||
|
|
||||||
struct AppParams
|
struct AppParams
|
||||||
@ -216,6 +217,13 @@ int renderThread(void * unused)
|
|||||||
// calculate the texture size in bytes
|
// calculate the texture size in bytes
|
||||||
texSize = state.shm->width * state.shm->stride * bpp;
|
texSize = state.shm->width * state.shm->stride * bpp;
|
||||||
|
|
||||||
|
// ensure the size makes sense
|
||||||
|
if (state.shm->dataPos + texSize > state.shmSize)
|
||||||
|
{
|
||||||
|
DEBUG_ERROR("The guest sent an invalid dataPos");
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
// setup two buffers so we don't have to use fences
|
// setup two buffers so we don't have to use fences
|
||||||
glGenBuffers(2, vboID);
|
glGenBuffers(2, vboID);
|
||||||
for (int i = 0; i < 2; ++i)
|
for (int i = 0; i < 2; ++i)
|
||||||
@ -273,6 +281,15 @@ int renderThread(void * unused)
|
|||||||
state.windowChanged = true;
|
state.windowChanged = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// final sanity checks on the data presented by the guest
|
||||||
|
// this is critical as the guest could overflow this buffer to
|
||||||
|
// try to take control of the host
|
||||||
|
if (state.shm->dataPos + texSize > state.shmSize)
|
||||||
|
{
|
||||||
|
DEBUG_ERROR("The guest sent an invalid dataPos");
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
SDL_RenderClear(state.renderer);
|
SDL_RenderClear(state.renderer);
|
||||||
if (state.hasBufferStorage)
|
if (state.hasBufferStorage)
|
||||||
{
|
{
|
||||||
@ -630,6 +647,7 @@ int run()
|
|||||||
DEBUG_ERROR("Failed to map memory");
|
DEBUG_ERROR("Failed to map memory");
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
state.shmSize = ivshmem_get_map_size();
|
||||||
state.shm->hostID = ivshmem_get_id();
|
state.shm->hostID = ivshmem_get_id();
|
||||||
|
|
||||||
if (params.useSpice)
|
if (params.useSpice)
|
||||||
|
Loading…
Reference in New Issue
Block a user