Commit Graph

2247 Commits

Author SHA1 Message Date
Tudor Brindus
8982493239 [client] clipboard: fix heap-buffer overflow in clipboardRequest
=================================================================
==7680==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000ec010 at pc 0x5622fcf9f386 bp 0x7f36084ff680 sp 0x7f36084ff678
WRITE of size 4 at 0x6020000ec010 thread T1
    #0 0x5622fcf9f385 in clipboardRequest /code/LookingGlass/client/src/main.c:707
    #1 0x5622fd0036c9 in wayland_cb_notice /code/LookingGlass/client/clipboards/Wayland/src/wayland.c:521
    #2 0x5622fcf9f4dc in spiceClipboardNotice /code/LookingGlass/client/src/main.c:724
    #3 0x5622fcfc4d59 in spice_agent_process /code/LookingGlass/repos/PureSpice/src/spice.c:1106
    #4 0x5622fcfc16d6 in spice_on_main_channel_read /code/LookingGlass/repos/PureSpice/src/spice.c:655
    #5 0x5622fcfbee4f in spice_process /code/LookingGlass/repos/PureSpice/src/spice.c:361
    #6 0x5622fcf9e3a2 in spiceThread /code/LookingGlass/client/src/main.c:598
    #7 0x5622fd006b5e in threadWrapper /code/LookingGlass/common/src/platform/linux/thread.c:39
    #8 0x7f3614b2bf26 in start_thread /build/glibc-WZtAaN/glibc-2.30/nptl/pthread_create.c:479
    #9 0x7f3614a4c2ee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfd2ee)

0x6020000ec011 is located 0 bytes to the right of 1-byte region [0x6020000ec010,0x6020000ec011)
allocated by thread T1 here:
    #0 0x7f36156f9628 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x107628)
    #1 0x5622fcf9f33f in clipboardRequest /code/LookingGlass/client/src/main.c:705
    #2 0x5622fd0036c9 in wayland_cb_notice /code/LookingGlass/client/clipboards/Wayland/src/wayland.c:521
    #3 0x5622fcf9f4dc in spiceClipboardNotice /code/LookingGlass/client/src/main.c:724
    #4 0x5622fcfc4d59 in spice_agent_process /code/LookingGlass/repos/PureSpice/src/spice.c:1106
    #5 0x5622fcfc16d6 in spice_on_main_channel_read /code/LookingGlass/repos/PureSpice/src/spice.c:655
    #6 0x5622fcfbee4f in spice_process /code/LookingGlass/repos/PureSpice/src/spice.c:361
    #7 0x5622fcf9e3a2 in spiceThread /code/LookingGlass/client/src/main.c:598
    #8 0x5622fd006b5e in threadWrapper /code/LookingGlass/common/src/platform/linux/thread.c:39
    #9 0x7f3614b2bf26 in start_thread /build/glibc-WZtAaN/glibc-2.30/nptl/pthread_create.c:479

Thread T1 created by T0 here:
    #0 0x7f361562b9b2 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x399b2)
    #1 0x5622fd006cd0 in lgCreateThread /code/LookingGlass/common/src/platform/linux/thread.c:50
    #2 0x5622fcfa5a7d in lg_run /code/LookingGlass/client/src/main.c:1615
    #3 0x5622fcface28 in main /code/LookingGlass/client/src/main.c:2035
    #4 0x7f3614975e0a in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow /code/LookingGlass/client/src/main.c:707 in clipboardRequest
Shadow bytes around the buggy address:
  0x0c04800157b0: fa fa 00 00 fa fa fd fa fa fa fd fa fa fa fd fd
  0x0c04800157c0: fa fa fd fd fa fa fd fa fa fa 00 fa fa fa 00 fa
  0x0c04800157d0: fa fa 00 fa fa fa fd fa fa fa fd fd fa fa fa fa
  0x0c04800157e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c04800157f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0480015800: fa fa[01]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480015810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480015820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480015830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480015840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480015850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==7680==ABORTING
2021-01-10 14:52:58 +11:00
Quantum
4051cc6f93 [client] spice: fix cursor position mismatch with UI scaling 2021-01-10 13:51:20 +11:00
Netboy3
1727c7726b [client] fix screensaver enable
The hint "SDL_HINT_VIDEO_ALLOW_SCREENSAVER" only works if set
before SDL_Init(). Move it to the proper location.
2021-01-10 13:43:57 +11:00
Quantum
0b890ed1ac [client] add support for compiling with AddressSanitizer 2021-01-10 13:42:58 +11:00
Geoffrey McRae
fa1deafd58 Revert "[client] spice: better x11 grab/ungrab behaviour"
This reverts commit 18f9d936c6.
2021-01-10 01:00:40 +11:00
Geoffrey McRae
176cc394d1 [client] don't show capture message at startup unless it's on 2021-01-10 00:56:34 +11:00
Geoffrey McRae
18f9d936c6 [client] spice: better x11 grab/ungrab behaviour 2021-01-10 00:55:31 +11:00
Geoffrey McRae
4334912e01 [client] egl: actually set the dma texture member 2021-01-09 22:16:40 +11:00
Geoffrey McRae
19db67cfe5 [client] egl: detect the NVIDIA driver and disable DMA support
DMA suport for NVIDIA is advertised as available by the presense of the
extension `EGL_EXT_image_dma_buf_import`, however it is completely
broken. Until this is fixed refuse to use DMA support even if VM->VM
support is possible.

See: https://forums.developer.nvidia.com/t/egl-ext-image-dma-buf-import-broken-egl-bad-alloc-with-tons-of-free-ram/165552
2021-01-09 21:25:41 +11:00
Geoffrey McRae
21ba14f629 [client] spice: fix loss of click/focus on resize 2021-01-09 18:41:02 +11:00
Quantum
c9f41ea69e [client] fix ignoreQuit on Wayland
On Wayland, SDL_WINDOWEVENT_CLOSE is sent even when exiting with keyboard
shortcuts. This meant that the client is still closed even with -Q.

We now swallow SDL_WINDOWEVENT_CLOSE if the cursor is inside the VM. This
should prevent keyboard shortcuts from closing the client, while still
allowing the window to be closed by clicking X with the mouse per #138.
2021-01-09 18:28:43 +11:00
Geoffrey McRae
f47c8cb806 [client] add input:captureOnly to disable input when not captured 2021-01-09 18:01:08 +11:00
Geoffrey McRae
5e9cfb9033 [client] updated README with new option description 2021-01-09 14:56:28 +11:00
Geoffrey McRae
318759f54d [client] spice: allow mouse smoothing in capture but only if not RAW 2021-01-09 14:55:20 +11:00
Geoffrey McRae
1a4ac4c109 [client] updated README with new options 2021-01-09 14:41:48 +11:00
Geoffrey McRae
579be87597 [client] spice: added basic mouse smoothing for non-capture mode
Enabled by default, can be disabled with `input:mouseSmoothing`
2021-01-09 14:39:48 +11:00
Geoffrey McRae
ce96c77098 [client] spice: fixed grabKeyboardOnFocus regression 2021-01-08 23:15:48 +11:00
Geoffrey McRae
1c016ac0cd [client] cursor: ensure cursor is rendered at init and aligned 2021-01-08 23:12:15 +11:00
Geoffrey McRae
86ca1bbbd6 [client] fix issues with cursor not always showing 2021-01-08 21:46:34 +11:00
Geoffrey McRae
3ac178a305 [client] spice: when in autoCapture limit the exit delta
Rapid movements in games can cause large detas that may cause the client
to allow the mouse to exit when this is not desired. This change
attempts to limit this by ignoring movements large movements when using
this mode.
2021-01-08 21:00:38 +11:00
Geoffrey McRae
40c3c38681 [client] refactor struct CursorState to use struct DoublePoint 2021-01-08 20:49:20 +11:00
Geoffrey McRae
d2a4f8f346 [client] spice: dont ignore input that doesn't exit the window 2021-01-08 20:45:11 +11:00
Geoffrey McRae
59ea957d0d [client] spice: don't grab the keyboard input unless we are focused 2021-01-08 20:26:32 +11:00
Geoffrey McRae
f352463d19 [client] spice: obey input:grabKeyboard 2021-01-08 20:13:41 +11:00
Geoffrey McRae
2789e73296 [client] spice: added new input:autoCapture mode
This new mode if enabled (disabled by default) will cause the client to
attempt to hold onto the mouse when a title/game has it captured in the
guest. This is best effort and is not a replacement for full capture
mode.
2021-01-08 19:41:10 +11:00
Geoffrey McRae
6c8eba5f54 [client] spice: rewrite cursor handling code to take advantage of xinput 2021-01-08 15:37:40 +11:00
Geoffrey McRae
4b13e590e1 [client] updated the PureSpice submodule 2021-01-08 08:54:27 +11:00
Geoffrey McRae
6030d2f189 [client] spice: filter out events that have < 2 axis
This prevents the mouse wheel from being treated as a cursor movement
2021-01-08 08:42:19 +11:00
Geoffrey McRae
2788394631 [client] all: use nanosleep instead of usleep for better precision 2021-01-08 08:27:12 +11:00
Geoffrey McRae
b0f2a2e39f [client] spice: flag the cursor as inView unconditionally in capture 2021-01-08 03:27:03 +11:00
Geoffrey McRae
526572c9c9 [client] added new feature input:rawMouse for RAW mouse input
This option allows those that want it (gamers) to bypass all X11 mouse
acceleration and smoothing giving true 1:1 input to the guest while in
capture mode. Note: only supported for X11!
2021-01-08 03:12:42 +11:00
Geoffrey McRae
c99561c2ac [client] spice: filter out duplicate X xinput events 2021-01-08 02:52:47 +11:00
Geoffrey McRae
62f59ce50d [client] spice: don't use the raw data values for raw input
While using the RAW movement data sounds like a good idea the user
experience is quite bad as the mouse acceleration between host and guest
changes entering capture mode. This change alters this behaviour to use
the values after processing by the X server while retaining the simpler
code path for capture mode.
2021-01-08 02:04:30 +11:00
Geoffrey McRae
f85b6418b8 [common] linux: stop event signals accumulating after they are serviced 2021-01-08 01:18:02 +11:00
Geoffrey McRae
fb9cf6cfbc [client] spice: apply sensitivity when in raw capture mode 2021-01-08 01:01:53 +11:00
Geoffrey McRae
974b409e91 [client] spice: x11 use xinput2 raw mode if possible for captured mouse 2021-01-08 00:44:15 +11:00
Geoffrey McRae
27a5a0811b [client] spice: detect end of warp based on serial and x & y match
x11 serials are per server command, not per event, as such several
events may be processed by the server before a new event is received
causing the existing logic to fail. This changes the logic to check for
a larger serial instead of an exact match, and confirms the completion
of the warp by matching the target x/y.
2021-01-08 00:07:43 +11:00
Geoffrey McRae
d6bb518992 [client] spice: refactor g_cursor.last to g_cursor.pos 2021-01-07 02:16:55 +11:00
Geoffrey McRae
026251cfd9 [client] spice: fix reversed warp offset math and incorrect lookbehind 2021-01-07 02:05:47 +11:00
Geoffrey McRae
9b309db964 [client] spice: general improvements to cursor warp logic
Previously only up to two pending warp requests were possible, this
changes this so that additional warps can be queued if the cursor's
delta has moved more then 50px between each warp request.

The old code also had an error where it would null out any additional
movement since the warp was requested, but before it was processed, this
has been corrected.
2021-01-06 22:11:28 +11:00
Geoffrey McRae
271276a0a9 [client] ll: add new method ll_peek_tail 2021-01-06 22:11:10 +11:00
Geoffrey McRae
67022d664f [client] spice: look for x11 warp completion events in key/btn events. 2021-01-06 20:17:52 +11:00
Geoffrey McRae
09e02b0613 [client] spice: prevent the cursor from escaping while captured 2021-01-06 08:35:13 +11:00
Geoffrey McRae
e70f585cfc [client] spice: fix rounding issue causing entry->exit in the same event
This fixes an issue where the warp to center could break as the user
moves their cursor slowly over one of the bottom or right edges of the
screen while it's letterboxed.
2021-01-06 08:34:14 +11:00
Geoffrey McRae
c2ad9666bb [host] use the HotSpot information as provided by DXGI
I must have originally overlooked this member when I wrote this code. :S
2021-01-05 20:55:39 +11:00
Geoffrey McRae
d2d6ecd1c1 [client] spice: always flush XWarpPointer calls 2021-01-05 11:53:42 +11:00
Geoffrey McRae
6f99280fe3 [client] fix the warp logic to account for still pending warps to finish
As X11 is a server/client protocol, issuing commands such as
XWarpPointer do not happen immediately, as such we need to identify when
the warp is complete to know to null out the movement. To do this we
track each warp issued and look for it's completion in the event filter.
As some events come in via XInput2 we need to also make use of this
instead of just relying on MotionNotify, as such the support has been
implemented for XI_Motion events.
2021-01-05 11:47:17 +11:00
Geoffrey McRae
18e84c88a0 [client] ll: fix failure to properly track the list size 2021-01-05 11:42:26 +11:00
Geoffrey McRae
25d370ef22 [client] move new scaling variables into the CursorState struct 2021-01-05 09:48:30 +11:00
Geoffrey McRae
6c12990d26 [client] print out the client version too when there is a mismatch 2021-01-05 09:18:40 +11:00