[client] added checks for invalid offsets by the guest

This commit is contained in:
Geoffrey McRae 2017-11-25 20:21:57 +11:00
parent e2160a5eda
commit bed2d95ccd

View File

@ -50,6 +50,7 @@ struct AppState
SDL_Window * window;
SDL_Renderer * renderer;
struct KVMGFXHeader * shm;
unsigned int shmSize;
};
struct AppParams
@ -216,6 +217,13 @@ int renderThread(void * unused)
// calculate the texture size in bytes
texSize = state.shm->width * state.shm->stride * bpp;
// ensure the size makes sense
if (state.shm->dataPos + texSize > state.shmSize)
{
DEBUG_ERROR("The guest sent an invalid dataPos");
break;
}
// setup two buffers so we don't have to use fences
glGenBuffers(2, vboID);
for (int i = 0; i < 2; ++i)
@ -273,6 +281,15 @@ int renderThread(void * unused)
state.windowChanged = true;
}
// final sanity checks on the data presented by the guest
// this is critical as the guest could overflow this buffer to
// try to take control of the host
if (state.shm->dataPos + texSize > state.shmSize)
{
DEBUG_ERROR("The guest sent an invalid dataPos");
break;
}
SDL_RenderClear(state.renderer);
if (state.hasBufferStorage)
{
@ -630,6 +647,7 @@ int run()
DEBUG_ERROR("Failed to map memory");
break;
}
state.shmSize = ivshmem_get_map_size();
state.shm->hostID = ivshmem_get_id();
if (params.useSpice)