vnc: Limit r/w access to size of allocated memory

This fixes memory reads and writes which exceeded the upper limit
of allocated memory vd->guest.ds->data and vd->server->data.

Cc: Anthony Liguori <aliguori@us.ibm.com>
Signed-off-by: Stefan Weil <weil@mail.berlios.de>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
This commit is contained in:
Stefan Weil 2012-03-14 07:58:48 +01:00 committed by Anthony Liguori
parent 175b2a6e4b
commit 9e4dd565b4

View File

@ -2562,6 +2562,9 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
* Update server dirty map.
*/
cmp_bytes = 16 * ds_get_bytes_per_pixel(vd->ds);
if (cmp_bytes > vd->ds->surface->linesize) {
cmp_bytes = vd->ds->surface->linesize;
}
guest_row = vd->guest.ds->data;
server_row = vd->server->data;
for (y = 0; y < vd->guest.ds->height; y++) {