From patchwork Fri Aug 18 15:10:55 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Peter Maydell X-Patchwork-Id: 714636 Delivered-To: patch@linaro.org Received: by 2002:a5d:484e:0:b0:317:ecd7:513f with SMTP id n14csp558886wrs; Fri, 18 Aug 2023 08:11:45 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFTGsoMggIJ1tFGbtRm3AQeExDlbPm7ZNNrXicQEM17hrjfLBazwgIF+nx6u1427exxm123 X-Received: by 2002:a05:622a:4cd:b0:403:a7e5:ad38 with SMTP id q13-20020a05622a04cd00b00403a7e5ad38mr3690078qtx.45.1692371504771; Fri, 18 Aug 2023 08:11:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1692371504; cv=none; d=google.com; s=arc-20160816; b=DS2Sb0DlTD8y2u71oPHANvkzv6mlBZJzrYGy7pwEdq6kF8ode5iFWbTdu72wk2Fo93 NYxRbjA0V7Gbv3+g9k2rIwZYw2jYl7h4gGz/sHrpN9fpMPVbWlnVn6R+J8/ZO1u0nosa 3GqZxyfikgi2I/pRp7hD27NN0EVUsVWjY0xx5XZ8QebqItFx7oDLiO/B5mcL1SlwsXV+ FWg7Viz9Ydej4wFlBQhmZVttPJepjB1uw9lcDfXph/X/gvWRSgU6AkDNKgv3n1VcaqF/ o+LZfTskHo53L7l8kBOAzQwdmZIgwh8sukZyv9mSFoNylnBaXytYA4QfB6Q1WGpJJFFJ QHVQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=zkt8qeBW+o4jPjnQtmwyry6dtMA1gn9lr1yNsAxm/7I=; fh=fclF8Ddo4kJBfUi2yI/ShRR06Z4BeLmUEP51LT7dsNI=; b=CGMSuAeT4FZFD3okgim8Ee4zxLktbXRe5FFX1NhQuoqld8QPndBnbUvcIz9iX6NAIC zvFtz3rzXioBZvq98WWu1I6k+NOOmELTBSsi5GNjo5Pw3g/t602iPCstin+xwFLd37Sl 8Ch9DqTUV4SPkXl4r03gJckUX4SXnrPwykq4zdaUCeinwEpD40ag9k13ynn0jM/425Yj e8WnVy8zJLUWjY4NAWMiN+HrUCRIoo9+Zbplx4edyAp1NCem5F5xaKxnIe0+rJzpO95I cEuh2kkKsnKstnMG6wrz3sOBbo6eVpM2EsMuTXk9AkSAN+gG6ZfLlH1e9MnOQV0hLV1b cSig== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=dBO3ez6i; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id s9-20020a05622a1a8900b00403b2544bb2si1269676qtc.427.2023.08.18.08.11.44 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Fri, 18 Aug 2023 08:11:44 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=dBO3ez6i; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qX180-0006D6-JK; Fri, 18 Aug 2023 11:11:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qX17w-0006Cj-CO for qemu-devel@nongnu.org; Fri, 18 Aug 2023 11:11:04 -0400 Received: from mail-wm1-x335.google.com ([2a00:1450:4864:20::335]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qX17u-0007Yv-3C for qemu-devel@nongnu.org; Fri, 18 Aug 2023 11:11:04 -0400 Received: by mail-wm1-x335.google.com with SMTP id 5b1f17b1804b1-3fe2ba3e260so10045375e9.2 for ; Fri, 18 Aug 2023 08:11:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1692371459; x=1692976259; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=zkt8qeBW+o4jPjnQtmwyry6dtMA1gn9lr1yNsAxm/7I=; b=dBO3ez6iXfKSZWQ9wwStyk0pXwuQHhLJpRoDydIsRRXRLNiipDgtZ9u/kcCOv6mL25 M6ziks3ZBJAd/8dIhUA0XDQAihq0LJxDYqKz76lX6+BxVB5VmcpI0pyGC4kcS5uQ50vA sM8K/c2ZFm0uP+8EpFuvVAcg11dRklvNSwtm673WVmC+UqaAyMPs7+1BCi19KzWJ3XIA y9j6l3RH0zGNGhP6w6n6DgoJupJia+6SxTxGksv5DxswgbbI3st9FLIoM49J7PMGRpUv AvHkBZfo4mjm3lzM9LVcLPa5ifl2oFa8XYtlxmc1XJCI0K6hmmvan7GVJ2Z5zdCVsXne F3/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692371459; x=1692976259; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zkt8qeBW+o4jPjnQtmwyry6dtMA1gn9lr1yNsAxm/7I=; b=OjtOzXvHwZy/HWIKFLOWNBOkPYpR+/ufqKKBW4lQQCyfih5NGbJ4+JxwTlfUwalC7d BcRY7mMWnKdplAQ7g3It7YtIrT/H1tRVp2tQXRAe7mzO4V31xfEOFRcx4r7x9GDERRMM oiWsDH8vl5PhfUEGJee64pHF7lW/HFYLkSQ4vkdxom80UT9cpK9LHrvmcoCpvX5heMDA 85cLLTXt/6VButfM9c37E9LBapNN8J4iIygqaKeQ9UaafYHhM5RkDRyFpL4Xo/b10a5G NhAXlxXm6hGUgfh9cn9Ht32rREN92okmvkkwSw57WNx1zX0apes3qSmZmhAZC2v6EW0C AeTA== X-Gm-Message-State: AOJu0YxeJ6Go1BYJk9qAfmE1l9z0XYKEMtyhhs7BaUvAixapWiuPFf0J ckNYv9SKqrRdLm+5iSJtYDTvruVY6QJdXeol/Rg= X-Received: by 2002:a05:600c:365a:b0:3fb:b008:2003 with SMTP id y26-20020a05600c365a00b003fbb0082003mr2369243wmq.38.1692371459453; Fri, 18 Aug 2023 08:10:59 -0700 (PDT) Received: from orth.archaic.org.uk (orth.archaic.org.uk. [2001:8b0:1d0::2]) by smtp.gmail.com with ESMTPSA id a26-20020a5d457a000000b00316eb7770b8sm3097631wrc.5.2023.08.18.08.10.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 18 Aug 2023 08:10:59 -0700 (PDT) From: Peter Maydell To: qemu-devel@nongnu.org Cc: Gerd Hoffmann , =?utf-8?q?Marc-Andr=C3=A9_Lureau?= , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= Subject: [PATCH 1/3] ui/spice-display: Avoid dynamic stack allocation Date: Fri, 18 Aug 2023 16:10:55 +0100 Message-Id: <20230818151057.1541189-2-peter.maydell@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230818151057.1541189-1-peter.maydell@linaro.org> References: <20230818151057.1541189-1-peter.maydell@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::335; envelope-from=peter.maydell@linaro.org; helo=mail-wm1-x335.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org Use an autofree heap allocation instead of a variable-length array on the stack in qemu_spice_create_update(). The codebase has very few VLAs, and if we can get rid of them all we can make the compiler error on new additions. This is a defensive measure against security bugs where an on-stack dynamic allocation isn't correctly size-checked (e.g. CVE-2021-3527). Signed-off-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daudé --- I was a little unsure about this allocation given that it's in the display_refresh callback, but the code already does a g_malloc() every time it calls qemu_spice_create_one_update() so one more presumably won't hurt. --- ui/spice-display.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ui/spice-display.c b/ui/spice-display.c index 3f3f8013d86..0e2fbfb17c1 100644 --- a/ui/spice-display.c +++ b/ui/spice-display.c @@ -189,7 +189,7 @@ static void qemu_spice_create_update(SimpleSpiceDisplay *ssd) { static const int blksize = 32; int blocks = DIV_ROUND_UP(surface_width(ssd->ds), blksize); - int dirty_top[blocks]; + g_autofree int *dirty_top = NULL; int y, yoff1, yoff2, x, xoff, blk, bw; int bpp = surface_bytes_per_pixel(ssd->ds); uint8_t *guest, *mirror; @@ -198,6 +198,7 @@ static void qemu_spice_create_update(SimpleSpiceDisplay *ssd) return; }; + dirty_top = g_new(int, blocks); for (blk = 0; blk < blocks; blk++) { dirty_top[blk] = -1; } From patchwork Fri Aug 18 15:10:56 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Peter Maydell X-Patchwork-Id: 714635 Delivered-To: patch@linaro.org Received: by 2002:a5d:484e:0:b0:317:ecd7:513f with SMTP id n14csp558743wrs; Fri, 18 Aug 2023 08:11:32 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFXLfGZ+eAR3bTUxUeyzBs4vq4xAY/prZDnnTm265CQfb8KO+/4OyjfxJzA+38ovlgsMlAU X-Received: by 2002:a05:6830:1d50:b0:6b9:4a15:1415 with SMTP id p16-20020a0568301d5000b006b94a151415mr3086152oth.3.1692371492120; Fri, 18 Aug 2023 08:11:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1692371492; cv=none; d=google.com; s=arc-20160816; b=YPuYfB2EXbzMuFFCezmRPyiJIwSQvyWNMl7+0AUlhV2upJ74L/MUF3XEdddMfIKIoV mBuEc4IpIz9ndTiC4vpL5HSxB7R+VvoxXaYkfR0+bdwlH230q4ec8Sll0ybfHw3b2rwH 81ZMcPfRrY89eQuKF3BP07TyRw/DNJ6PRJ289Tk+A+jAMXiNnqKtaedfUYZQN7ZEM6S+ qr/UyXTs+8m/QNUadATQcXI+U73D7znXXi1efSYvyKOTWQdVWxX0mcrP/LD5t1ebv+Ev LKW7ncPNi2kCtccCDRNG7r8ZiZqH7aDkrmKTSA78B3CDOL94PqH/X6Uo/Vjx+l3Rth8E IibA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=UJiiohdKQZbGGA4ANTWMA+44jYq1EDm9KHj0/oftavU=; fh=fclF8Ddo4kJBfUi2yI/ShRR06Z4BeLmUEP51LT7dsNI=; b=sDPLclLlVrSB3HemKKcdKftKIqDGuabxb0puzpWIkNOCkdU9M2aODvEeQH8WFFy0TC sftDK9w2SSK2poLQRN4+UnAEtmbeAXy4TgOYLlRqHZdelFFI5IfUevUDwqUEjxti9pfC /+u9m/lxToL+vmx1Qjr6OBBKC5SPUaYVgufOzJmxvTC3O1EudsLV7c5j768sapVDgnZZ tmb4mA9ehS8JNI/qesPfzP0kkEN4Sl7FJrqTz7bHEjkktFLRk3Nwvkp7jqp2XdN0hhMF TnUahajeZCy7fW9rFx7+zao18/L5AFklr5pwY0sqsIqwPWbkCCaXlfVFyBzNtB91h8t2 Zkjg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=ITxIhNTj; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id d19-20020a05622a05d300b0040d3e5c0d0dsi1352716qtb.377.2023.08.18.08.11.31 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Fri, 18 Aug 2023 08:11:32 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=ITxIhNTj; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qX18C-0006EM-Sl; Fri, 18 Aug 2023 11:11:21 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qX17x-0006D4-Vy for qemu-devel@nongnu.org; Fri, 18 Aug 2023 11:11:06 -0400 Received: from mail-wr1-x436.google.com ([2a00:1450:4864:20::436]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qX17u-0007Z0-3H for qemu-devel@nongnu.org; Fri, 18 Aug 2023 11:11:04 -0400 Received: by mail-wr1-x436.google.com with SMTP id ffacd0b85a97d-31783d02093so953520f8f.0 for ; Fri, 18 Aug 2023 08:11:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1692371460; x=1692976260; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=UJiiohdKQZbGGA4ANTWMA+44jYq1EDm9KHj0/oftavU=; b=ITxIhNTjD4V/gTxIbkqVUyHXR4kGcSEpSYVVuvDAvTk2ngkOZdJJt4fTM7VtxLhU6q +b83HgAmeeZ1XnuUFHOc05qCOkn/ru9IRIfoN1cSs3GPBtnqhn+qyBij5AZtiymUYTak DWZ1TL3tEPIgKYq4wFo0grGCGtkA9uzm2Luk8IjeV/C8YgOpPwSee+zRAdiDY4H9FSro VRGzs3aUkzs/hKCRzGVdOgCExiB0xjqo3X0KrI2P6W9qojDZF9+E4qavyMKvzeK/oQUe KEGcosQLdKYQl9+Tx79K6M/9kDWTg1ClXN4WWUY7pZPkdoSBK/hM3qQtDhlZHGRTsaXT 11VQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692371460; x=1692976260; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=UJiiohdKQZbGGA4ANTWMA+44jYq1EDm9KHj0/oftavU=; b=AiSe3uDMX+Op4QVFCXNA0hLR2Rny2ckUXN7I9y1aQ5HSBeJyVM4Tr9YduzRkDQhPVM +AJEBkHLTfOMdmVodJpAcWMeWu/Ol6cavstEK2+/UOpZJVPijmxQoNCeyA8ZelALH2Ko 10SoZWf7IKfFe1nDPswGQKWAAPeD/vK/EeKOF56UDhT8NxUceUMN+PyfHACXMPMeweBd TlMN5Yx2WTAfpRGkU0ugt2BpmsdAgacTWQyiRTh7qnbv8FtN9Lqtg+OVmgI+huoDUEg6 DZMqKIYukJe2p7z75H7HX/4bNl9G94JTT496wP0OP1oJS+PKb36HlyxBPomSMNRRwDwZ MHQA== X-Gm-Message-State: AOJu0YxY355bziZIsbtw0TZ5WN2c0I7tjtHIDTU7T16slLhZvA+IZn3C 0PnYRZ/kcQGrBXHu0QBHE04Qa1Cs4BJEvV2IOJ4= X-Received: by 2002:a5d:494c:0:b0:317:de6f:22cb with SMTP id r12-20020a5d494c000000b00317de6f22cbmr2539092wrs.2.1692371460007; Fri, 18 Aug 2023 08:11:00 -0700 (PDT) Received: from orth.archaic.org.uk (orth.archaic.org.uk. [2001:8b0:1d0::2]) by smtp.gmail.com with ESMTPSA id a26-20020a5d457a000000b00316eb7770b8sm3097631wrc.5.2023.08.18.08.10.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 18 Aug 2023 08:10:59 -0700 (PDT) From: Peter Maydell To: qemu-devel@nongnu.org Cc: Gerd Hoffmann , =?utf-8?q?Marc-Andr=C3=A9_Lureau?= , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= Subject: [PATCH 2/3] ui/vnc-enc-hextile: Use static rather than dynamic length stack array Date: Fri, 18 Aug 2023 16:10:56 +0100 Message-Id: <20230818151057.1541189-3-peter.maydell@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230818151057.1541189-1-peter.maydell@linaro.org> References: <20230818151057.1541189-1-peter.maydell@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::436; envelope-from=peter.maydell@linaro.org; helo=mail-wr1-x436.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org In the send_hextile_tile_* function we create a variable length array data[]. In fact we know that the client_pf.bytes_per_pixel is at most 4 (enforced by set_pixel_format()), so we can make the array a compile-time fixed length of 1536 bytes. The codebase has very few VLAs, and if we can get rid of them all we can make the compiler error on new additions. This is a defensive measure against security bugs where an on-stack dynamic allocation isn't correctly size-checked (e.g. CVE-2021-3527). Signed-off-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daudé --- ui/vnc-enc-hextile-template.h | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/ui/vnc-enc-hextile-template.h b/ui/vnc-enc-hextile-template.h index 0c56262afff..283c0eaefaf 100644 --- a/ui/vnc-enc-hextile-template.h +++ b/ui/vnc-enc-hextile-template.h @@ -7,6 +7,8 @@ #define NAME BPP #endif +#define MAX_CLIENT_BPP 4 + static void CONCAT(send_hextile_tile_, NAME)(VncState *vs, int x, int y, int w, int h, void *last_bg_, @@ -25,10 +27,13 @@ static void CONCAT(send_hextile_tile_, NAME)(VncState *vs, int bg_count = 0; int fg_count = 0; int flags = 0; - uint8_t data[(vs->client_pf.bytes_per_pixel + 2) * 16 * 16]; + uint8_t data[(MAX_CLIENT_BPP + 2) * 16 * 16]; int n_data = 0; int n_subtiles = 0; + /* Enforced by set_pixel_format() */ + assert(vs->client_pf.bytes_per_pixel <= MAX_CLIENT_BPP); + for (j = 0; j < h; j++) { for (i = 0; i < w; i++) { switch (n_colors) { @@ -205,6 +210,7 @@ static void CONCAT(send_hextile_tile_, NAME)(VncState *vs, } } +#undef MAX_CLIENT_BPP #undef NAME #undef pixel_t #undef CONCAT_I From patchwork Fri Aug 18 15:10:57 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Peter Maydell X-Patchwork-Id: 714637 Delivered-To: patch@linaro.org Received: by 2002:a5d:484e:0:b0:317:ecd7:513f with SMTP id n14csp559058wrs; Fri, 18 Aug 2023 08:12:00 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEnh40wz/cLqhTtvcXXmI877TevcBxPcIWign95JzFAoR0qw1JqV131ywcpw8Us0QANr8AH X-Received: by 2002:a05:622a:13d1:b0:40f:dcd0:9660 with SMTP id p17-20020a05622a13d100b0040fdcd09660mr3829578qtk.65.1692371520040; Fri, 18 Aug 2023 08:12:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1692371520; cv=none; d=google.com; s=arc-20160816; b=fQG2w5wbxM0wRkcuG2EcwaQTgYxqyb22Okg+8KPIt1lhGIbWe6pzr2zzeuxAaImZDG OPnis2q5ZukwTB7xjBdmBvcPdnAutc02zhVDE3n88Y6mdRs3d636L7xt+2aP4o5onvK2 CIgKoUHhmSIi9ozXdsJcuGzxtRuM+/EbUDWK66W6FWPEMyrFtFlcLYLxarCWkgcRdpO4 LBcS0Qy+Lix5Hy2hFPAGZvUYRRtrRRcl9ddPlwxP9KGAG1wdTkagbAVDTTSEbEvyvZV0 ePJtJe4XRKY2mlEIRG/f5plIXJcE8QLOnJG4WtI7cVJRXYuAC++bBCwHP3A8Ccga4l2W bgYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=r/CzseP/nBu8pN/GQVFjtldZXEr+/vmXlEOW5UPs6jA=; fh=fclF8Ddo4kJBfUi2yI/ShRR06Z4BeLmUEP51LT7dsNI=; b=APEvFh2NHk+PtrQwR5MLHyuuaJ+RAkkrkCp8mTSIbaLxutM5n6KHHQJQ4cWOx/QPEw xiDnMRWgGvwc6I5mYOaMZwTbXryZoCQ/ex+o+bwGkYi0SXhQu+BSssgrb2WyqM5+g7uP T/JTxZ7KZt0HDsgWubNN3PSMNDHjPuSyPdzW8cMR9kZYXJGfddCJo9mk3pzQEw6sTmCT oM8A/RrxIUf80VoG3qYrNvPvpQx3eSV5SiJc275KP10/RaROlIgZuyhdLZ9dlbZSwiCt mIvUlRipoXgSM/ns9r2b6dexePrDm6PSm5uca1C/u0FthWHI7MMDgN6JkaCsDJd/C3pf TX5w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=wd7Guxr0; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id q2-20020a05622a030200b0040fdce653bdsi1291756qtw.318.2023.08.18.08.11.59 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Fri, 18 Aug 2023 08:12:00 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=wd7Guxr0; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qX18E-0006Em-CT; Fri, 18 Aug 2023 11:11:22 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qX17x-0006D5-W3 for qemu-devel@nongnu.org; Fri, 18 Aug 2023 11:11:06 -0400 Received: from mail-wr1-x434.google.com ([2a00:1450:4864:20::434]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qX17u-0007Z6-C6 for qemu-devel@nongnu.org; Fri, 18 Aug 2023 11:11:04 -0400 Received: by mail-wr1-x434.google.com with SMTP id ffacd0b85a97d-317c3ac7339so932212f8f.0 for ; Fri, 18 Aug 2023 08:11:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1692371461; x=1692976261; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=r/CzseP/nBu8pN/GQVFjtldZXEr+/vmXlEOW5UPs6jA=; b=wd7Guxr0ygLOg3+poBIP3JKja1g1B3L2OaB8tTkje5frXy+aiQ20kfDdzvG3dANLzI YsWVt4G9bbO5ihHHdRl4iRNub6kPny8bU6j4VsCoHMm8NG3rtdZPiyg3MgyLMpvRSk/B q4Eo8KAkUpsMA9PbIBtyNyJeuWXRMYiDluhKd9jtUyrvcqmF2oxC6Ham59KYeExRkDt5 iqsN2CPLmaPWRkRCEcRoHe55Ot7w4SqiV4SYl8WrbrbCb1BQ/q/PbHMqJnbgriYsCpHh qF8WSBPDEiL46Njg8lT7K5udZwvb4sQycNQ8juLCIxgjAKFTLXPcVRbcHI1JaNaU7sib GkBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692371461; x=1692976261; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=r/CzseP/nBu8pN/GQVFjtldZXEr+/vmXlEOW5UPs6jA=; b=mAHbR7bMXvytGN5EcR6Opbf3WIAh5eStVKfjbroy1qV+c5g8/5+aY9qiW14w0HBver 2KbnMWRZDDzfk61DwSrGKeQDPWN8OO5HjZKpIjVcPoTO9ePFKEvhXb1Fs8cuFcXVWT6Y M7PBi3FbOKo23QuH9Z5+LOdsrgtet3+ENXyN3KFaR8eXlspy1H4AIlX+RIs4borN6K7w wlrKgDF92LnGXp7BdX3d/fOHV7S02hTrM4sQ/CM4XEj4SkRl0fPZpMVpOr5kOji30gmo NWXS/cOgalX2KW3OWVpkgKFgYW7LjPvdaP9lbxvoS5HddwcR4z16RQN4oeMQaalEL/1B xefg== X-Gm-Message-State: AOJu0Yw5olhCAyOuZ2aNaYXnhhQN9LXutvy7T2yxvDFch2SCi7LR26cJ 82or73bFcE5DufbnbQrTO8AZB67g5im2Yzh7dro= X-Received: by 2002:a5d:548e:0:b0:315:ade6:a52d with SMTP id h14-20020a5d548e000000b00315ade6a52dmr2190542wrv.19.1692371461066; Fri, 18 Aug 2023 08:11:01 -0700 (PDT) Received: from orth.archaic.org.uk (orth.archaic.org.uk. [2001:8b0:1d0::2]) by smtp.gmail.com with ESMTPSA id a26-20020a5d457a000000b00316eb7770b8sm3097631wrc.5.2023.08.18.08.11.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 18 Aug 2023 08:11:00 -0700 (PDT) From: Peter Maydell To: qemu-devel@nongnu.org Cc: Gerd Hoffmann , =?utf-8?q?Marc-Andr=C3=A9_Lureau?= , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= Subject: [PATCH 3/3] ui/vnc-enc-tight: Avoid dynamic stack allocation Date: Fri, 18 Aug 2023 16:10:57 +0100 Message-Id: <20230818151057.1541189-4-peter.maydell@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230818151057.1541189-1-peter.maydell@linaro.org> References: <20230818151057.1541189-1-peter.maydell@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::434; envelope-from=peter.maydell@linaro.org; helo=mail-wr1-x434.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Philippe Mathieu-Daudé Use autofree heap allocation instead of variable-length array on the stack. The codebase has very few VLAs, and if we can get rid of them all we can make the compiler error on new additions. This is a defensive measure against security bugs where an on-stack dynamic allocation isn't correctly size-checked (e.g. CVE-2021-3527). Signed-off-by: Philippe Mathieu-Daudé [PMM: expanded commit message] Signed-off-by: Peter Maydell Reviewed-by: Francisco Iglesias --- ui/vnc-enc-tight.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/ui/vnc-enc-tight.c b/ui/vnc-enc-tight.c index ee853dcfcb8..41f559eb837 100644 --- a/ui/vnc-enc-tight.c +++ b/ui/vnc-enc-tight.c @@ -1097,13 +1097,13 @@ static int send_palette_rect(VncState *vs, int x, int y, switch (vs->client_pf.bytes_per_pixel) { case 4: { - size_t old_offset, offset; - uint32_t header[palette_size(palette)]; + size_t old_offset, offset, palette_sz = palette_size(palette); + g_autofree uint32_t *header = g_new(uint32_t, palette_sz); struct palette_cb_priv priv = { vs, (uint8_t *)header }; old_offset = vs->output.offset; palette_iter(palette, write_palette, &priv); - vnc_write(vs, header, sizeof(header)); + vnc_write(vs, header, palette_sz * sizeof(uint32_t)); if (vs->tight->pixel24) { tight_pack24(vs, vs->output.buffer + old_offset, colors, &offset); @@ -1115,11 +1115,12 @@ static int send_palette_rect(VncState *vs, int x, int y, } case 2: { - uint16_t header[palette_size(palette)]; + size_t palette_sz = palette_size(palette); + g_autofree uint16_t *header = g_new(uint16_t, palette_sz); struct palette_cb_priv priv = { vs, (uint8_t *)header }; palette_iter(palette, write_palette, &priv); - vnc_write(vs, header, sizeof(header)); + vnc_write(vs, header, palette_sz * sizeof(uint16_t)); tight_encode_indexed_rect16(vs->tight->tight.buffer, w * h, palette); break; }