mirror of
https://github.com/gnif/LookingGlass.git
synced 2024-11-10 00:28:20 +00:00
[client] added checks for invalid offsets by the guest
This commit is contained in:
parent
e2160a5eda
commit
bed2d95ccd
@ -50,6 +50,7 @@ struct AppState
|
||||
SDL_Window * window;
|
||||
SDL_Renderer * renderer;
|
||||
struct KVMGFXHeader * shm;
|
||||
unsigned int shmSize;
|
||||
};
|
||||
|
||||
struct AppParams
|
||||
@ -216,6 +217,13 @@ int renderThread(void * unused)
|
||||
// calculate the texture size in bytes
|
||||
texSize = state.shm->width * state.shm->stride * bpp;
|
||||
|
||||
// ensure the size makes sense
|
||||
if (state.shm->dataPos + texSize > state.shmSize)
|
||||
{
|
||||
DEBUG_ERROR("The guest sent an invalid dataPos");
|
||||
break;
|
||||
}
|
||||
|
||||
// setup two buffers so we don't have to use fences
|
||||
glGenBuffers(2, vboID);
|
||||
for (int i = 0; i < 2; ++i)
|
||||
@ -273,6 +281,15 @@ int renderThread(void * unused)
|
||||
state.windowChanged = true;
|
||||
}
|
||||
|
||||
// final sanity checks on the data presented by the guest
|
||||
// this is critical as the guest could overflow this buffer to
|
||||
// try to take control of the host
|
||||
if (state.shm->dataPos + texSize > state.shmSize)
|
||||
{
|
||||
DEBUG_ERROR("The guest sent an invalid dataPos");
|
||||
break;
|
||||
}
|
||||
|
||||
SDL_RenderClear(state.renderer);
|
||||
if (state.hasBufferStorage)
|
||||
{
|
||||
@ -630,6 +647,7 @@ int run()
|
||||
DEBUG_ERROR("Failed to map memory");
|
||||
break;
|
||||
}
|
||||
state.shmSize = ivshmem_get_map_size();
|
||||
state.shm->hostID = ivshmem_get_id();
|
||||
|
||||
if (params.useSpice)
|
||||
|
Loading…
Reference in New Issue
Block a user