[Qemu-devel] Re: [PATCH 4/7] Make vnc buffer big-chunk aware

[Anthony Liguori]

Alexander Graf wrote:
> Currently writing to buffers is protected by buffer_reserve.
> Unfortunately, is reserves at most 1024 bytes more than we currently
> have, so if we want to write a 2048 bytes chunk, we overwrite
> random memory.
>   

Yikes!

> This patch addresses this in a pretty dumb but easy way.
>
> Signed-off-by: Alexander Graf <address@hidden>
> ---
>  vnc.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/vnc.c b/vnc.c
> index 4b17f85..d0d9580 100644
> --- a/vnc.c
> +++ b/vnc.c
> @@ -592,7 +592,7 @@ static int vnc_listen_poll(void *opaque)
>  
>  static void buffer_reserve(Buffer *buffer, size_t len)
>  {
> -    if ((buffer->capacity - buffer->offset) < len) {
> +    while ((buffer->capacity - buffer->offset) < len) {
>         buffer->capacity += (len + 1024);
>   

Okay, I no longer believe you.

If we want to write len bytes, and we increase capacity by (len + 1024) 
bytes, then we should be fine.  The reason it's len + 1024 vs just len 
is to avoid many qemu_realloc()s on many small reservations (like for 
adding u32s).

Regards,

Anthony Liguori
>         buffer->buffer = qemu_realloc(buffer->buffer, buffer->capacity);
>         if (buffer->buffer == NULL) {
>