qemu/ui
Daniel P. Berrange 4c956bd81e ui: avoid sign extension using client width/height
Pixman returns a signed int for the image width/height, but the VNC
protocol only permits a unsigned int16. Effective framebuffer size
is determined by the guest, limited by the video RAM size, so the
dimensions are unlikely to exceed the range of an unsigned int16,
but this is not currently validated.

With the current use of 'int' for client width/height, the calculation
of offsets in vnc_update_throttle_offset() suffers from integer size
promotion and sign extension, causing coverity warnings

*** CID 1385147:  Integer handling issues  (SIGN_EXTENSION)
/ui/vnc.c: 979 in vnc_update_throttle_offset()
973      * than that the client would already suffering awful audio
974      * glitches, so dropping samples is no worse really).
975      */
976     static void vnc_update_throttle_offset(VncState *vs)
977     {
978         size_t offset =
>>>     CID 1385147:  Integer handling issues  (SIGN_EXTENSION)
>>>     Suspicious implicit sign extension:
    "vs->client_pf.bytes_per_pixel" with type "unsigned char" (8 bits,
    unsigned) is promoted in "vs->client_width * vs->client_height *
    vs->client_pf.bytes_per_pixel" to type "int" (32 bits, signed), then
    sign-extended to type "unsigned long" (64 bits, unsigned).  If
    "vs->client_width * vs->client_height * vs->client_pf.bytes_per_pixel"
    is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
979             vs->client_width * vs->client_height * vs->client_pf.bytes_per_pixel;

Change client_width / client_height to be a size_t to avoid sign
extension and integer promotion. Then validate that dimensions are in
range wrt the RFB protocol u16 limits.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-id: 20180118155254.17053-1-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-25 15:02:00 +01:00
..
keycodemapdb@10739aa260 ui: pull in latest keycodemapdb 2017-10-23 10:50:02 +02:00
shader opengl: add flipping vertex shader 2017-10-17 10:25:42 +02:00
cocoa.m cocoa.m: Fix scroll wheel support 2018-01-18 10:09:34 +00:00
console-gl.c ui: use QEMU_IS_ALIGNED macro 2017-11-10 14:27:29 +01:00
console.c ui: fix dcl unregister 2017-11-10 11:06:43 +01:00
curses_keys.h ui: add next and prior keysyms 2017-07-27 14:23:09 +02:00
curses.c console: purge curses bits from console.h 2017-09-29 10:36:33 +02:00
cursor_hidden.xpm ui: move files to ui/ and include/ui/ 2012-12-19 08:31:30 +01:00
cursor_left_ptr.xpm ui: move files to ui/ and include/ui/ 2012-12-19 08:31:30 +01:00
cursor.c Replace all occurances of __FUNCTION__ with __func__ 2018-01-22 09:46:18 +01:00
egl-context.c egl: explicitly ask for core context 2017-05-12 12:02:48 +02:00
egl-headless.c egl-headless: add dmabuf support 2017-10-17 10:25:42 +02:00
egl-helpers.c egl-helpers: add egl_texture_blit and egl_texture_blend 2017-10-17 10:25:42 +02:00
gtk-egl.c opengl: move shader init from console-gl.c to shader.c 2017-10-17 10:25:42 +02:00
gtk-gl-area.c ui: opengl updates for dma-buf support. 2017-10-19 12:09:53 +01:00
gtk.c ui: deprecate use of GTK 2.x in favour of 3.x series 2018-01-12 14:30:34 +01:00
input-keymap.c ui: generate qcode to linux mappings 2017-12-14 15:24:30 -08:00
input-legacy.c ui: fix crash with sendkey and raw key numbers 2017-10-23 10:50:02 +02:00
input-linux.c ui: move qemu_input_linux_to_qcode() 2017-07-27 14:23:09 +02:00
input.c input: fix memory leak 2018-01-12 14:20:39 +01:00
keymaps.c General warn report fixups 2017-09-19 14:09:34 +02:00
keymaps.h ps2: fix sending of PAUSE/BREAK scancodes 2017-07-27 14:24:05 +02:00
Makefile.objs buildsys: Move sdl cflags/libs to per object 2017-09-22 10:20:34 +08:00
qemu-pixman.c pixman: drop submodule 2017-09-13 10:15:43 +02:00
qemu-x509.h ui: move files to ui/ and include/ui/ 2012-12-19 08:31:30 +01:00
sdl2-2d.c SDL2: add bgrx pixel format 2016-06-03 08:23:26 +02:00
sdl2-gl.c opengl: move shader init from console-gl.c to shader.c 2017-10-17 10:25:42 +02:00
sdl2-input.c ui: Clean up includes 2016-02-04 17:01:04 +00:00
sdl2-keymap.h sdl2: keymap fixups 2014-09-16 08:07:05 +02:00
sdl2.c sdl2: Ignore UI hotkeys after a focus change when GUI modifier is held 2018-01-12 15:51:18 +01:00
sdl_keysym.h ui/sdl2 : initial port to SDL 2.0 (v2.0) 2014-03-05 09:52:05 +01:00
sdl_zoom_template.h maint: Fix macros with broken 'do/while(0); ' usage 2018-01-16 14:54:52 +01:00
sdl_zoom.c all: Remove unnecessary glib.h includes 2016-06-07 18:19:24 +03:00
sdl_zoom.h Clean up ill-advised or unusual header guards 2016-07-12 16:20:46 +02:00
sdl.c shutdown: Add source information to SHUTDOWN and RESET 2017-05-23 13:28:17 +02:00
shader.c opengl: add flipping vertex shader 2017-10-17 10:25:42 +02:00
spice-core.c spice: remove unused timer list 2018-01-12 14:35:58 +01:00
spice-display.c Replace all occurances of __FUNCTION__ with __func__ 2018-01-22 09:46:18 +01:00
spice-input.c ui: correctly detect spice PAUSE scancode sequence 2017-07-28 12:35:40 +02:00
trace-events ui: add trace events related to VNC client throttling 2018-01-12 13:48:54 +01:00
vgafont.h ui: move files to ui/ and include/ui/ 2012-12-19 08:31:30 +01:00
vnc_keysym.h ui: add next and prior keysyms 2017-07-27 14:23:09 +02:00
vnc-auth-sasl.c ui: mix misleading comments & return types of VNC I/O helper methods 2018-01-12 13:48:54 +01:00
vnc-auth-sasl.h ui: mix misleading comments & return types of VNC I/O helper methods 2018-01-12 13:48:54 +01:00
vnc-auth-vencrypt.c ui: Always remove an old VNC channel watch before adding a new one 2017-10-04 13:21:53 +01:00
vnc-auth-vencrypt.h Clean up ill-advised or unusual header guards 2016-07-12 16:20:46 +02:00
vnc-enc-hextile-template.h pixman/vnc: use pixman images in vnc. 2012-11-01 14:00:04 +01:00
vnc-enc-hextile.c ui: Clean up includes 2016-02-04 17:01:04 +00:00
vnc-enc-tight.c vnc: use DIV_ROUND_UP 2017-08-31 12:29:07 +02:00
vnc-enc-tight.h Clean up header guards that don't match their file name 2016-07-12 16:19:16 +02:00
vnc-enc-zlib.c ui: Clean up includes 2016-02-04 17:01:04 +00:00
vnc-enc-zrle-template.c ui: Clean up includes 2016-02-04 17:01:04 +00:00
vnc-enc-zrle.c vnc: simple clean up 2017-05-12 12:34:31 +02:00
vnc-enc-zrle.h Clean up header guards that don't match their file name 2016-07-12 16:19:16 +02:00
vnc-enc-zywrle-template.c ui: Clean up includes 2016-02-04 17:01:04 +00:00
vnc-enc-zywrle.h Clean up header guards that don't match their file name 2016-07-12 16:19:16 +02:00
vnc-jobs.c ui: fix VNC client throttling when forced update is requested 2018-01-12 13:48:54 +01:00
vnc-jobs.h ui/vnc: Drop unused vnc_has_job() and vnc_jobs_clear() 2017-02-08 14:59:36 +01:00
vnc-palette.c all: Remove unnecessary glib.h includes 2016-06-07 18:19:24 +03:00
vnc-palette.h all: Clean up includes 2016-02-23 12:43:05 +00:00
vnc-ws.c ui: Always remove an old VNC channel watch before adding a new one 2017-10-04 13:21:53 +01:00
vnc-ws.h Clean up ill-advised or unusual header guards 2016-07-12 16:20:46 +02:00
vnc.c ui: avoid sign extension using client width/height 2018-01-25 15:02:00 +01:00
vnc.h ui: avoid sign extension using client width/height 2018-01-25 15:02:00 +01:00
x_keymap.c ui: Clean up includes 2016-02-04 17:01:04 +00:00
x_keymap.h