From ff1a381f606e6f7aa101e6ab189fe7cc17cee6f9 Mon Sep 17 00:00:00 2001
From: Francois Gouget <fgouget@codeweavers.com>
Date: Wed, 1 Jun 2016 10:51:55 +0100
Subject: [PATCH] red-parse-qxl: Check consistency of QXL_DRAW_COPY operations

The source area should not extend outside the source bitmap, or have
swapped coordinates.

Signed-off-by: Francois Gouget <fgouget@codeweavers.com>
Acked-by: Frediano Ziglio <fziglio@redhat.com>
---
 server/red-parse-qxl.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/server/red-parse-qxl.c b/server/red-parse-qxl.c
index 0dafbef4..0fdf9128 100644
--- a/server/red-parse-qxl.c
+++ b/server/red-parse-qxl.c
@@ -682,6 +682,20 @@ static int red_get_copy_ptr(RedMemSlotInfo *slots, int group_id,
         return 1;
     }
     red_get_rect_ptr(&red->src_area, &qxl->src_area);
+    /* The source area should not extend outside the source bitmap or have
+     * swapped coordinates.
+     */
+    if (red->src_area.left < 0 ||
+        red->src_area.left > red->src_area.right ||
+        red->src_area.top < 0 ||
+        red->src_area.top > red->src_area.bottom) {
+        return 1;
+    }
+    if (red->src_bitmap->descriptor.type == SPICE_IMAGE_TYPE_BITMAP &&
+        (red->src_area.right > red->src_bitmap->u.bitmap.x ||
+         red->src_area.bottom > red->src_bitmap->u.bitmap.y)) {
+        return 1;
+    }
     red->rop_descriptor  = qxl->rop_descriptor;
     red->scale_mode      = qxl->scale_mode;
     red_get_qmask_ptr(slots, group_id, &red->mask, &qxl->mask, flags);