cc39a92cbfc8 fixed a SIGFPE where the screen is resized to width/hight 1 and then receives a mouse click. However, there is a still a tiny window here for a race between the test for width/height > 1 and the division.
Signed-off-by: Chris Webb <ch...@arachsys.com> --- Sending this as I've just seen a SIGFPE from one of the qemu-kvm VMs running in our public-facing cluster. Running gdb on the resulting core dump pointed at line #1424 of vnc.c: 1423 if (vs->absolute) { 1424 kbd_mouse_event(ds_get_width(vs->ds) > 1 ? 1425 x * 0x7FFF / (ds_get_width(vs->ds) - 1) : 0x4000, 1426 ds_get_height(vs->ds) > 1 ? 1427 y * 0x7FFF / (ds_get_height(vs->ds) - 1) : 0x4000, 1428 dz, buttons); I think this must have been a (tight) race between the comparison and the division. This should probably go to the 0.12-stable branch too as that's where I saw the crash. I can send a rebased patch if that's more convenient? A pity this crash happened just after the release of 0.12.5 rather than a week or two earlier! ui/vnc.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ui/vnc.c b/ui/vnc.c index 7fc40ac..e04ebdf 100644 --- a/ui/vnc.c +++ b/ui/vnc.c @@ -1410,10 +1410,10 @@ static void pointer_event(VncState *vs, int button_mask, dz = 1; if (vs->absolute) { - kbd_mouse_event(ds_get_width(vs->ds) > 1 ? - x * 0x7FFF / (ds_get_width(vs->ds) - 1) : 0x4000, - ds_get_height(vs->ds) > 1 ? - y * 0x7FFF / (ds_get_height(vs->ds) - 1) : 0x4000, + int width = ds_get_width(vs->ds); + int height = ds_get_height(vs->ds); + kbd_mouse_event(width > 1 ? x * 0x7FFF / (width - 1) : 0x4000, + height > 1 ? y * 0x7FFF / (height - 1) : 0x4000, dz, buttons); } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE)) { x -= 0x7FFF; -- 1.7.1.1