From 77bad1190cabf82c833b9251c62e9b118b501765 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed, 2 Jul 2014 12:18:45 -0500
Subject: [CHANGE 01/11] qxl: dont update invalid area
To: rhvirt-patches@redhat.com,
    jen@redhat.com

RH-Author: Gerd Hoffmann <kraxel@redhat.com>
Message-id: <1404303526-29203-2-git-send-email-kraxel@redhat.com>
Patchwork-id: 59444
O-Subject: [RHEL-6.6 qemu-kvm PATCH 1/2] qxl: dont update invalid area
Bugzilla: 994388
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Markus Armbruster <armbru@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>

From: Dunrong Huang <riegamaths@gmail.com>

This patch fixes the following error:

$ ~/usr/bin/qemu-system-x86_64 -enable-kvm -m 1024 -spice port=5900,disable-ticketing -vga qxl -cdrom ~/Images/linuxmint-13-mate-dvd-32bit.iso
(/home/mathslinux/usr/bin/qemu-system-x86_64:10068): SpiceWorker-CRITICAL **: red_worker.c:4599:red_update_area: condition `area->left >= 0 && area->top >= 0 && area->left < area->right && area->top < area->bottom' failed
Aborted

spice server terminates QEMU process if we pass invalid area to it,
so dont update those invalid areas.

Signed-off-by: Dunrong Huang <riegamaths@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit ccc2960d654a233a6ed415b37d8ff41728d817c5)
Signed-off-by: jen <jen@redhat.com>
---
 hw/qxl.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/hw/qxl.c b/hw/qxl.c
index 2747c81..9c519e2 100644
--- a/hw/qxl.c
+++ b/hw/qxl.c
@@ -1557,6 +1557,13 @@ async_common:
             return;
         }
 
+        if (update.left < 0 || update.top < 0 || update.left >= update.right ||
+            update.top >= update.bottom) {
+            qxl_set_guest_bug(d, "QXL_IO_UPDATE_AREA: "
+                              "invalid area(%d,%d,%d,%d)\n", update.left,
+                              update.right, update.top, update.bottom);
+            break;
+        }
         if (async == QXL_ASYNC) {
             cookie = qxl_cookie_new(QXL_COOKIE_TYPE_IO,
                                     QXL_IO_UPDATE_AREA_ASYNC);
-- 
1.9.3

