In some case the member specified to SPICE_CONTAINEROF was not
exactly the same type of the pointer passed.
This can cause issues if structure changes so use proper member.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Fabiano Fidêncio <fidencio@redhat.com>
Don't disconnect the display channel, when unsupported compression is
requested from the client. Not changing the compression is enough.
https://bugs.freedesktop.org/show_bug.cgi?id=92821
Acked-by: Victor Toso <victortoso@redhat.com>
Acked-by: Frediano Ziglio <fziglio@redhat.com>
This fixes a display glitch in xspice which is caused when
a surface create is queued, but then a direct call to update
the area is issued. Unless we flush the queue, the surface
does not exist, and we fail.
Signed-off-by: Jeremy White <jwhite@codeweavers.com>
With multiple cards configured you can have multiple workers running in
different thread.
With such configuration static variables not syncronized could lead
to undefined behavior.
Acked-by: Jonathon Jongsma <jjongsma@redhat.com>
A driver can overwrite surface state creating a surface with the same
id of a previous one.
Also can try to destroy surfaces that are not created.
Both requests cause invalid internal states that could lead to crashes
or memory corruptions.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Do not just give warning and continue to use an invalid index into
an array.
Resolves: CVE-2015-5260
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
For security reasons do not assume guest do not change structures it
pass to Qemu.
Guest could change count field while Qemu is copying QXLMonitorsConfig
structure leading to heap corruption.
This patch avoid it reading count only once.
This patch solves CVE-2015-3247.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
Due to how the MIN macro is defined the function was called twice
unless the compiler could demonstrate that was returning the same
value (which actually is impossible as function as clock_gettime
are not deterministic).
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Jonathon Jongsma <jjongsma@redhat.com>
On 32 bit machine timespec->tv_sec (time_t) is 32 bit.
Also 1000 * 1000 * 1000 is 32 bit.
The multiplication of 2 32 bit integers gives a 32 bit integer, however
this can overflow.
Converting the first factor to 64 bit before the multiplication solves
the issue.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
if the environment variable in the title is set and can be
opened for writing a log of all display commands (no cursor
commands yet) and any QXLWorker calls (particularily primary
create and destroy) will be logged to that file, and possible
to replay using the replay utility introduced later.
For an example file (4 MB download, 300 MB after unpack with xz,
these 300 MB are themselves reduced from 1.2GB using zlib compression
for any chunk):
(old file without a header)
http://annarchy.freedesktop.org/~alon/win7_boot_shutdown.cmd.xz
Signed-off-by: Alon Levy <alon@pobox.com>
Signed-off-by: Marc-André Lureau <marcandre.lureau@gmail.com>
There is a red_init() methods, we can group all the red_init_*() calls
in it rather than calling red_init() followed by all these calls in our
main function.
This has been renamed to SpiceImageCompression in order to avoid clashes
with older spice-server in the SPICE_IMAGE_COMPRESS_ namespace. This
commit is a straight rename of SpiceImageCompress to
SpiceImageCompression and SPICE_IMAGE_COMPRESS_ to
SPICE_IMAGE_COMPRESSION_
red_marshall_image() allows to use other than QUIC compression only
when auto_lz or auto_glz image compression is set. Other images don't
have the problem because they are compressed using red_compress_image()
Locking the individual calls that access the pixmap cache in fill_bits is
not adequately thread safe. Often a windows guest with multiple monitors
will be sending the same image via different threads. Both threads can
be in fill_bits at the same time making changes to the cache for the same
image. This can result in images being deleted before all the client
channels are finished with them or with the same image being send multiple
times. Here's what can happen with out the lock in fill_bits
On the server in red_worker.c:fill_bits
Thread 1 calls pixmap_cache_hit for Image A and finds it isn't in cache
Thread 2 calls pixmap_cache_hit for Image A and finds it isn't in cache
Thread 1 adds Image 1 to pixmap_cache (1x)
Thread 2 adds Image 1 to pixmap_cache (2x)
On the client
Channel 1 adds Image A to image_cache (1x)
Channel 2 replaces Image A in image_cache (1x)
On server
Thread 1 sends Image A rendering commands
Thread N removes Image A from pixmap_cache (image remains - 1x)
Thread 2 sends Image A rendering commands
On client
Channe1 renders from Image A
Channel N removes Image a from image_cache (image is completely removed)
Channel2 render command hangs waiting for Image A
spice-server will attempt to limit number of monitors.
Guest machine can send monitor list it accepts. Limiting the number sent
by guest will limit the number of monitors client will try to enable.
The guest usually see client monitors enabled and start using it so
not seeing client monitor won't try to enable more monitor.
In this case the additional monitor guest can support will always be
seen as heads with no attached monitors.
This allows limiting monitors number without changing guest drivers.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Do not just check and give warning before crashing the program
accessing a NULL pointer but use spice_malloc which exits with a
proper message.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
There is already a enumeration in a public header that defines the
different streaming options, so there's no need to duplicate that
enumeration internally. Just use the public enum values.
Reversing the bottom-up images in the server is not needed since Pixman,
in the client, is able to deal with them. As a result, the previous code
was more complex and wrong. This commit fixes and cleans it.
Currently, the LZ4 encoding only (partially) supports RGB images, so
we must check the image format before using it. In the future, indexed
formats may be implemented too, but their use is usually very small
compared to RGB.
- Add lz4 encoder to compress an image of type LZ4 (see spice_common).
- Add code in red_worker to use LZ4 when it is enabled, and the client
supports it through its display capability, or fallback to LZ.
- Add enable_lz4 switch in the configure script. Show LZ4 support at the
end.
The multimedia time is defined by the server side monotonic time [1],
but the drawing time-stamp is done in guest side, so it requires
synchronization between host and guest. This is expensive, when no audio
is playing, there is a ~30x/sec wakeup to update the qxl device mmtime,
and it requires marking dirty the rom region.
Instead, the video timestamping can be done more efficiently on server
side, without visible drawbacks.
[1] a better timestamp could be the audio time, since audio players are
usually sync with audio time)
Related to:
https://bugzilla.redhat.com/show_bug.cgi?id=912763
It's possible for a buggy guest driver to pass invalid bounding box
dimensions in QXL commands, which would then cause spice-server to
segfault. This patch checks the size of the bounding box of the QXL
command right after it has been parsed.
This fixes rhbz#1135372
The beginning of the surface data needs to be computed correctly if the
stride is negative, otherwise, it should point already to the beginning
of the surface data. This bug seems to exists since 4a208b (0.5.2)
https://bugzilla.redhat.com/show_bug.cgi?id=1029646
https://bugs.freedesktop.org/show_bug.cgi?id=79246
As a developer, I maybe want to see the detail compress stat of spice, like this:
Method count orig_size(MB) enc_size(MB) enc_time(s)
QUIC 846 948.02 147.22 7.51
GLZ 2895 594.90 26.60 1.33
ZLIB GLZ 0 0.00 0.00 0.00
LZ 1 3.15 0.01 0.00
JPEG 0 0.00 0.00 0.00
JPEG-RGBA 0 0.00 0.00 0.00
----------------------------------------------------------------------------
Total 3742 1546.07 173.83 8.84
But when I uncommented the COMPRESS_STAT and COMPRESS_DEBUG in red_worker.c and make.
I got some error(in Bugzilla). This error because of some simple syntax errors.
Commit this patch to fix this issue.
Signed-off-by: Wang Qiang <wangqiang.hunan@gmail.com>
gcc's some integer type definitions are different between 32/64bit system.
This causes platform dependency problem with printf function. However,
we can avoid this problem by using PRI macros that supports platform
independent printf.
