qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] Re: [PATCH RESEND 2/2] vnc: Fix heap corruption

From: Stefan Weil
Subject: Re: [Qemu-devel] Re: [PATCH RESEND 2/2] vnc: Fix heap corruption
Date: Wed, 02 Mar 2011 23:27:47 +0100
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.16) Gecko/20101226 Iceowl/1.0b1 Icedove/3.0.11 
Am 02.03.2011 23:01, schrieb Stefan Weil:

Am 02.03.2011 19:47, schrieb Peter Maydell:

On 2 March 2011 18:36, Stefan Weil <address@hidden> wrote:

No. I dont't think that the third parameter of bitmap_clear is
ok like that. See my patch for the correct value.


Wen's patch:

+ const size_t width = ds_get_width(vd->ds) / 16;
[...]
-    bitmap_set(width_mask, 0, (ds_get_width(vd->ds) / 16));
-    bitmap_clear(width_mask, (ds_get_width(vd->ds) / 16),
-                 VNC_DIRTY_WORDS * BITS_PER_LONG);
+    bitmap_set(width_mask, 0, width);
+ bitmap_clear(width_mask, width, VNC_DIRTY_WORDS * BITS_PER_LONG - width); 

Your patch:

bitmap_clear(width_mask, (ds_get_width(vd->ds) / 16),
- VNC_DIRTY_WORDS * BITS_PER_LONG);
+ (VNC_MAX_WIDTH - ds_get_width(vd->ds)) / 16);

Since ui/vnc.h has:

#define VNC_DIRTY_WORDS (VNC_MAX_WIDTH / (16 * BITS_PER_LONG))

the third parameter to bitmap_clear is the same value in
both cases, isn't it? Or is this a rounding bug?

-- PMM


Because of rounding effects, both values can be different.

The part missing in my patch is correct handling of another
rounding effect:

VNC_DIRTY_WORDS is exact for 32 bit long values (and the
"old" code which used uint32_t until some weeks ago), where
VNC_DIRTY_WORDS = 2560/16/32 = 5.

For 64 bit values, VNC_DIRTY_WORDS = 2560/16/64 = 2 (rounded)!

Stefan W.



Is bitmap_clear() really needed here? Meanwhile I think it is not,
so this might be a new patch variant...
reply via email to
[Prev in Thread] Current Thread [Next in Thread]