rhbz#966835
We do not support copying such bitmaps. But instead of failing
operations that involve such bitmaps we either BSODed (in checked
builds), or proceeded with the bitmap copying (in free builds) - this lead to
an infinite
loop allocating QXLDataChunks without any data, just header.
---
xddm/display/res.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/xddm/display/res.c b/xddm/display/res.c
index e494271..6f04475 100644
--- a/xddm/display/res.c
+++ b/xddm/display/res.c
@@ -1871,7 +1871,11 @@ static _inline Resource *GetBitmapImage(PDev *pdev,
SURFOBJ *surf, XLATEOBJ *col
DEBUG_PRINT((pdev, 12, "%s\n", __FUNCTION__));
ASSERT(pdev, width > 0 && height > 0);
- ASSERT(pdev, BITS_BUF_MAX > line_size);
+ if (line_size >= BITS_BUF_MAX) {
+ DEBUG_PRINT((pdev, 0, "%s: line size (%u) exceeds max (%u)\n",
__FUNCTION__,
+ line_size, BITS_BUF_MAX));
+ return NULL;
+ }
alloc_size = BITMAP_ALLOC_BASE + BITS_BUF_MAX - BITS_BUF_MAX % line_size;
alloc_size = MIN(BITMAP_ALLOC_BASE + height * line_size, alloc_size);
image_res = AllocMem(pdev, MSPACE_TYPE_DEVRAM, alloc_size);
@@ -2305,6 +2309,9 @@ BOOL QXLGetBitmap(PDev *pdev, QXLDrawable *drawable,
QXLPHYSICAL *image_phys, SU
src, line_size, key))) {
image_res = GetBitmapImage(pdev, surf, color_trans, !!cache_image,
width, height, format,
src, line_size, key);
+ if (!image_res) {
+ return FALSE;
+ }
}
internal = (InternalImage *)image_res->res;
if (high_bits_set) {
@@ -2435,6 +2442,9 @@ BOOL QXLGetAlphaBitmap(PDev *pdev, QXLDrawable *drawable,
QXLPHYSICAL *image_phy
SPICE_BITMAP_FMT_RGBA, src, width << 2,
key))) {
image_res = GetBitmapImage(pdev, surf, NULL, !!cache_image, width,
height,
SPICE_BITMAP_FMT_RGBA, src, width << 2,
key);
+ if (!image_res) {
+ return FALSE;
+ }
}
internal = (InternalImage *)image_res->res;
if ((internal->cache = cache_image)) {
--
1.8.1.4
_______________________________________________
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel
