From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Mon, 29 Feb 2016 14:34:49 +0000
Subject: [PATCH] improve primary surface parameter checks

Primary surface, as additional surfaces, can be used to access
host memory from the guest using invalid parameters.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
---
 server/red_worker.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/server/red_worker.c b/server/red_worker.c
index a7eaab9..f9179a6 100644
--- a/server/red_worker.c
+++ b/server/red_worker.c
@@ -11380,6 +11380,15 @@ static void dev_create_primary_surface(RedWorker *worker, uint32_t surface_id,
     spice_warn_if(((uint64_t)abs(surface.stride) * (uint64_t)surface.height) !=
              abs(surface.stride) * surface.height);
 
+     /* surface can arrive from guest unchecked so make sure
+      * guest is not a malicious one and drop invalid requests
+      */
+     if (!red_validate_surface(surface.width, surface.height,
+                               surface.stride, surface.format)) {
+         spice_warning("wrong primary surface creation request");
+         return;
+     }
+
     line_0 = (uint8_t*)get_virt(&worker->mem_slots, surface.mem,
                                 surface.height * abs(surface.stride),
                                 surface.group_id, &error);