Do not use static allocate space but handle dynamically
Signed-off-by: Marc-André Lureau <marcandre.lureau@gmail.com>
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Timer queue is attached to current thread when created so it must be
created from the proper thread.
After worker initialization is moved in a following patch to main
thread the queue was created in the wrong thread causing program to
fail saying that the queue is NULL.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Uri Lublin <ulublin@redhat.com>
Now that worker is created before running, and run() returns success,
there is no point in using MESSAGE_READY.
Acked-by: Frediano Ziglio <fziglio@redhat.com>
Remove that hideous template header that should really be regular code
since it's specialized and instanciated only for pixmap.
Acked-by: Frediano Ziglio <fziglio@redhat.com>
A driver can overwrite surface state creating a surface with the same
id of a previous one.
Also can try to destroy surfaces that are not created.
Both requests cause invalid internal states that could lead to crashes
or memory corruptions.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Do not just give warning and continue to use an invalid index into
an array.
Resolves: CVE-2015-5260
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
For security reasons do not assume guest do not change structures it
pass to Qemu.
Guest could change count field while Qemu is copying QXLMonitorsConfig
structure leading to heap corruption.
This patch avoid it reading count only once.
This patch solves CVE-2015-3247.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
Due to how the MIN macro is defined the function was called twice
unless the compiler could demonstrate that was returning the same
value (which actually is impossible as function as clock_gettime
are not deterministic).
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Jonathon Jongsma <jjongsma@redhat.com>
On 32 bit machine timespec->tv_sec (time_t) is 32 bit.
Also 1000 * 1000 * 1000 is 32 bit.
The multiplication of 2 32 bit integers gives a 32 bit integer, however
this can overflow.
Converting the first factor to 64 bit before the multiplication solves
the issue.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
if the environment variable in the title is set and can be
opened for writing a log of all display commands (no cursor
commands yet) and any QXLWorker calls (particularily primary
create and destroy) will be logged to that file, and possible
to replay using the replay utility introduced later.
For an example file (4 MB download, 300 MB after unpack with xz,
these 300 MB are themselves reduced from 1.2GB using zlib compression
for any chunk):
(old file without a header)
http://annarchy.freedesktop.org/~alon/win7_boot_shutdown.cmd.xz
Signed-off-by: Alon Levy <alon@pobox.com>
Signed-off-by: Marc-André Lureau <marcandre.lureau@gmail.com>
There is a red_init() methods, we can group all the red_init_*() calls
in it rather than calling red_init() followed by all these calls in our
main function.
This has been renamed to SpiceImageCompression in order to avoid clashes
with older spice-server in the SPICE_IMAGE_COMPRESS_ namespace. This
commit is a straight rename of SpiceImageCompress to
SpiceImageCompression and SPICE_IMAGE_COMPRESS_ to
SPICE_IMAGE_COMPRESSION_
red_marshall_image() allows to use other than QUIC compression only
when auto_lz or auto_glz image compression is set. Other images don't
have the problem because they are compressed using red_compress_image()
Locking the individual calls that access the pixmap cache in fill_bits is
not adequately thread safe. Often a windows guest with multiple monitors
will be sending the same image via different threads. Both threads can
be in fill_bits at the same time making changes to the cache for the same
image. This can result in images being deleted before all the client
channels are finished with them or with the same image being send multiple
times. Here's what can happen with out the lock in fill_bits
On the server in red_worker.c:fill_bits
Thread 1 calls pixmap_cache_hit for Image A and finds it isn't in cache
Thread 2 calls pixmap_cache_hit for Image A and finds it isn't in cache
Thread 1 adds Image 1 to pixmap_cache (1x)
Thread 2 adds Image 1 to pixmap_cache (2x)
On the client
Channel 1 adds Image A to image_cache (1x)
Channel 2 replaces Image A in image_cache (1x)
On server
Thread 1 sends Image A rendering commands
Thread N removes Image A from pixmap_cache (image remains - 1x)
Thread 2 sends Image A rendering commands
On client
Channe1 renders from Image A
Channel N removes Image a from image_cache (image is completely removed)
Channel2 render command hangs waiting for Image A
