« Previous | Next » 

Revision 23bfe28f

ID23bfe28fffd6fff12a39c1ff7274b0dfdecbfa38

Added by Stefan Weil almost 10 years ago

vnc: Fix stack corruption and other bitmap related bugs

Commit bc2429b9174ac2d3c56b7fd35884b0d89ec7fb02 introduced
a severe bug (stack corruption).

bitmap_clear was called with a wrong argument
which caused out-of-bound writes to the local variable width_mask.

This bug was detected with QEMU running on windows.
It also occurs with wine:

  • stack smashing detected ***: terminated
    wine: Unhandled illegal instruction at address 0x6115c7 (thread 0009), starting debugger...

The bug is not windows specific!

Instead of fixing the wrong parameter value, bitmap_clear(), bitmap_set
and width_mask were removed, and bitmap_intersect() was replaced by
!bitmap_empty(). The new operation is much shorter and equivalent to
the old operations.

The declarations of the dirty bitmaps in vnc.h were also wrong for 64 bit
hosts because of a rounding effect: for these hosts, VNC_MAX_WIDTH is no
longer a multiple of (16 * BITS_PER_LONG), so the rounded value of
VNC_DIRTY_WORDS was too small.

Fix both declarations by using the macro which is designed for this
purpose.

Cc: Corentin Chary <>
Cc: Wen Congyang <>
Cc: Gerhard Wiesinger <>
Cc: Anthony Liguori <>
Signed-off-by: Stefan Weil <>
Signed-off-by: Anthony Liguori <>

Files

  • added
  • modified
  • copied
  • renamed
  • deleted

View differences