VirtualBox

Browse Source

Changeset 39603 in vbox

Timestamp:

Dec 14, 2011 11:12:56 AM (13 years ago)

Author:

vboxsync

Message:

crHgsmi: cleanup

Location:

Files:

: 11 edited

include/VBox/VBoxVideo.h (modified) (3 diffs)
include/VBox/vmm/pdmifs.h (modified) (2 diffs)
src/VBox/Devices/Graphics/DevVGA.h (modified) (1 diff)
src/VBox/Devices/Graphics/DevVGA_VBVA.cpp (modified) (2 diffs)
src/VBox/Devices/Graphics/DevVGA_VDMA.cpp (modified) (11 diffs)
src/VBox/GuestHost/OpenGL/include/cr_server.h (modified) (1 diff)
src/VBox/HostServices/SharedOpenGL/crserver/crservice.cpp (modified) (2 diffs)
src/VBox/HostServices/SharedOpenGL/crserverlib/server.h (modified) (1 diff)
src/VBox/HostServices/SharedOpenGL/crserverlib/server_main.c (modified) (11 diffs)
src/VBox/Main/include/DisplayImpl.h (modified) (2 diffs)
src/VBox/Main/src-client/DisplayImpl.cpp (modified) (5 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/include/VBox/VBoxVideo.h

-              r39359
+              r39603
+}
+#define VBoxSHGSMIBufferHeaderSize() (sizeof (VBOXSHGSMIHEADER))
 DECLINLINE(PVBOXSHGSMIHEADER) VBoxSHGSMIBufferHeader (const void *pvData)
+{
 …
 #define VBOXVDMACMD_SIZE(_t) (VBOXVDMACMD_SIZE_FROMBODYSIZE(sizeof (_t)))
 #define VBOXVDMACMD_BODY(_pCmd, _t) ( (_t*)(((uint8_t*)(_pCmd)) + VBOXVDMACMD_HEADER_SIZE()) )
+#define VBOXVDMACMD_BODY_SIZE(_s) ( (_s) - VBOXVDMACMD_HEADER_SIZE() )
 #define VBOXVDMACMD_FROM_BODY(_pCmd) ( (VBOXVDMACMD*)(((uint8_t*)(_pCmd)) - VBOXVDMACMD_HEADER_SIZE()) )
 #define VBOXVDMACMD_BODY_FIELD_OFFSET(_ot, _t, _f) ( (_ot)(uintptr_t)( VBOXVDMACMD_BODY(0, uint8_t) + RT_OFFSETOF(_t, _f) ) )
 …
     union
+    {
         void *pvRamBase;
+        void *pvVRamBase;
         uint64_t uAlignment;
     };
+    uint64_t cbVRam;
 } VBOXVDMACMD_CHROMIUM_CTL_CRHGSMI_SETUP, *PVBOXVDMACMD_CHROMIUM_CTL_CRHGSMI_SETUP;

trunk/include/VBox/vmm/pdmifs.h

-              r38878
+              r39603
      * @thread  The emulation thread.
      */
     DECLR3CALLBACKMEMBER(void, pfnCrHgsmiCommandProcess, (PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CMD pCmd));
+    DECLR3CALLBACKMEMBER(void, pfnCrHgsmiCommandProcess, (PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CMD pCmd, uint32_t cbCmd));
     /**
 …
      * @thread  The emulation thread.
      */
     DECLR3CALLBACKMEMBER(void, pfnCrHgsmiControlProcess, (PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CTL pCtl));
+    DECLR3CALLBACKMEMBER(void, pfnCrHgsmiControlProcess, (PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CTL pCtl, uint32_t cbCtl));

trunk/src/VBox/Devices/Graphics/DevVGA.h

-              r36899
+              r39603
 int vboxVDMAConstruct(PVGASTATE pVGAState, uint32_t cPipeElements);
 int vboxVDMADestruct(PVBOXVDMAHOST pVdma);
 void vboxVDMAControl(PVBOXVDMAHOST pVdma, PVBOXVDMA_CTL pCmd);
 void vboxVDMACommand(PVBOXVDMAHOST pVdma, PVBOXVDMACBUF_DR pCmd);
+void vboxVDMAControl(PVBOXVDMAHOST pVdma, PVBOXVDMA_CTL pCmd, uint32_t cbCmd);
+void vboxVDMACommand(PVBOXVDMAHOST pVdma, PVBOXVDMACBUF_DR pCmd, uint32_t cbCmd);
 int vboxVDMASaveStateExecPrep(struct VBOXVDMAHOST *pVdma, PSSMHANDLE pSSM);
 int vboxVDMASaveStateExecDone(struct VBOXVDMAHOST *pVdma, PSSMHANDLE pSSM);

trunk/src/VBox/Devices/Graphics/DevVGA_VBVA.cpp

-              r38514
+              r39603
         case VBVA_VDMA_CMD:
+        {
+            if (cbBuffer < VBoxSHGSMIBufferHeaderSize() + sizeof (VBOXVDMACBUF_DR))
+            {
+                rc = VERR_INVALID_PARAMETER;
+                break;
+            }
             PVBOXVDMACBUF_DR pCmd = (PVBOXVDMACBUF_DR)VBoxSHGSMIBufferData ((PVBOXSHGSMIHEADER)pvBuffer);
             vboxVDMACommand(pVGAState->pVdma, pCmd);
+            vboxVDMACommand(pVGAState->pVdma, pCmd, cbBuffer - VBoxSHGSMIBufferHeaderSize());
             rc = VINF_SUCCESS;
             break;
 …
         case VBVA_VDMA_CTL:
+        {
+            if (cbBuffer < VBoxSHGSMIBufferHeaderSize() + sizeof (VBOXVDMA_CTL))
+            {
+                rc = VERR_INVALID_PARAMETER;
+                break;
+            }
             PVBOXVDMA_CTL pCmd = (PVBOXVDMA_CTL)VBoxSHGSMIBufferData ((PVBOXSHGSMIHEADER)pvBuffer);
             vboxVDMAControl(pVGAState->pVdma, pCmd);
+            vboxVDMAControl(pVGAState->pVdma, pCmd, cbBuffer - VBoxSHGSMIBufferHeaderSize());
             rc = VINF_SUCCESS;
             break;

trunk/src/VBox/Devices/Graphics/DevVGA_VDMA.cpp

-              r37490
+              r39603
 static int vboxVDMACrCtlPostAsync (PVGASTATE pVGAState, PVBOXVDMACMD_CHROMIUM_CTL pCmd, PFNVBOXVDMACRCTL_CALLBACK pfnCompletion, void *pvCompletion)
+static int vboxVDMACrCtlPostAsync (PVGASTATE pVGAState, PVBOXVDMACMD_CHROMIUM_CTL pCmd, uint32_t cbCmd, PFNVBOXVDMACRCTL_CALLBACK pfnCompletion, void *pvCompletion)
+{
     if (pVGAState->pDrv->pfnCrHgsmiControlProcess)
 …
         pHdr->pfnCompletion = pfnCompletion;
         pHdr->pvCompletion = pvCompletion;
         pVGAState->pDrv->pfnCrHgsmiControlProcess(pVGAState->pDrv, pCmd);
+        pVGAState->pDrv->pfnCrHgsmiControlProcess(pVGAState->pDrv, pCmd, cbCmd);
         return VINF_SUCCESS;
+    }
 …
+}
 static int vboxVDMACrCtlPost(PVGASTATE pVGAState, PVBOXVDMACMD_CHROMIUM_CTL pCmd)
+static int vboxVDMACrCtlPost(PVGASTATE pVGAState, PVBOXVDMACMD_CHROMIUM_CTL pCmd, uint32_t cbCmd)
+{
     RTSEMEVENT hComplEvent;
 …
     if(RT_SUCCESS(rc))
+    {
         rc = vboxVDMACrCtlPostAsync (pVGAState, pCmd, vboxVDMACrCtlCbSetEvent, (void*)hComplEvent);
+        rc = vboxVDMACrCtlPostAsync (pVGAState, pCmd, cbCmd, vboxVDMACrCtlCbSetEvent, (void*)hComplEvent);
 #ifdef DEBUG_misha
         AssertRC(rc);
 …
+    {
         PVGASTATE pVGAState = pVdma->pVGAState;
+        pCmd->pvRamBase = pVGAState->vram_ptrR3;
+        int rc = vboxVDMACrCtlPost(pVGAState, &pCmd->Hdr);
+        pCmd->pvVRamBase = pVGAState->vram_ptrR3;
+        pCmd->cbVRam = pVGAState->vram_size;
+        int rc = vboxVDMACrCtlPost(pVGAState, &pCmd->Hdr, sizeof (*pCmd));
         AssertRC(rc);
         if (RT_SUCCESS(rc))
 …
 /* check if this is external cmd to be passed to chromium backend */
+static bool vboxVDMACmdCheckCrCmd(struct VBOXVDMAHOST *pVdma, PVBOXVDMACBUF_DR pCmd)
+{
+    PVBOXVDMACMD pDmaCmd;
+static int vboxVDMACmdCheckCrCmd(struct VBOXVDMAHOST *pVdma, PVBOXVDMACBUF_DR pCmdDr, uint32_t cbCmdDr)
+{
+    PVBOXVDMACMD pDmaCmd = NULL;
+    uint32_t cbDmaCmd = 0;
     uint8_t * pvRam = pVdma->pVGAState->vram_ptrR3;
+    bool bCompleted = false;
+    if (pCmd->fFlags & VBOXVDMACBUF_FLAG_BUF_FOLLOWS_DR)
+        pDmaCmd = VBOXVDMACBUF_DR_TAIL(pCmd, VBOXVDMACMD);
+    else
+        pDmaCmd = NULL;
+    int rc = VINF_NOT_SUPPORTED;
+    if (pCmdDr->fFlags & VBOXVDMACBUF_FLAG_BUF_FOLLOWS_DR)
+    {
+        if (cbCmdDr < sizeof (*pCmdDr) + VBOXVDMACMD_HEADER_SIZE())
+        {
+            AssertMsgFailed(("invalid buffer data!"));
+            return VERR_INVALID_PARAMETER;
+        }
+        cbDmaCmd = pCmdDr->cbBuf;
+        if (cbDmaCmd < cbCmdDr - sizeof (*pCmdDr) - VBOXVDMACMD_HEADER_SIZE())
+        {
+            AssertMsgFailed(("invalid command buffer data!"));
+            return VERR_INVALID_PARAMETER;
+        }
+        pDmaCmd = VBOXVDMACBUF_DR_TAIL(pCmdDr, VBOXVDMACMD);
+    }
     if (pDmaCmd)
+    {
+        uint32_t cbCmd = pCmd->cbBuf;
+        Assert(cbCmd >= VBOXVDMACMD_HEADER_SIZE());
+        if (cbCmd >= VBOXVDMACMD_HEADER_SIZE())
+        {
+            switch (pDmaCmd->enmType)
+            {
+                case VBOXVDMACMD_TYPE_CHROMIUM_CMD:
+        Assert(cbDmaCmd >= VBOXVDMACMD_HEADER_SIZE());
+        uint32_t cbBody = VBOXVDMACMD_BODY_SIZE(cbDmaCmd);
+        switch (pDmaCmd->enmType)
+        {
+            case VBOXVDMACMD_TYPE_CHROMIUM_CMD:
+            {
+                PVBOXVDMACMD_CHROMIUM_CMD pCrCmd = VBOXVDMACMD_BODY(pDmaCmd, VBOXVDMACMD_CHROMIUM_CMD);
+                if (cbBody < sizeof (*pCrCmd))
+                {
+                    PVBOXVDMACMD_CHROMIUM_CMD pCrCmd = VBOXVDMACMD_BODY(pDmaCmd, VBOXVDMACMD_CHROMIUM_CMD);
+                    PVGASTATE pVGAState = pVdma->pVGAState;
+                    bCompleted = true;
+                    if (pVGAState->pDrv->pfnCrHgsmiCommandProcess)
+                    {
+                        VBoxSHGSMICommandMarkAsynchCompletion(pCmd);
+                        pVGAState->pDrv->pfnCrHgsmiCommandProcess(pVGAState->pDrv, pCrCmd);
+                        break;
+                    }
+                    else
+                    {
+                        Assert(0);
+                    }
+                    int tmpRc = VBoxSHGSMICommandComplete (pVdma->pHgsmi, pCmd);
+                    AssertRC(tmpRc);
+//                uint32_t cBufs = pCrCmd->cBuffers;
+//                for (uint32_t i = 0; i < cBufs; ++i)
+//                {
+//                    PVBOXVDMACMD_CHROMIUM_BUFFER pBuf = &pCrCmd->aBuffers[i];
+//                    void *pvBuffer = pvRam + pBuf->offBuffer;
+//                    uint32_t cbBuffer = pBuf->cbBuffer;
+//                }
+                    AssertMsgFailed(("invalid chromium command buffer size!"));
+                    return VERR_INVALID_PARAMETER;
+                }
+                PVGASTATE pVGAState = pVdma->pVGAState;
+                rc = VINF_SUCCESS;
+                if (pVGAState->pDrv->pfnCrHgsmiCommandProcess)
+                {
+                    VBoxSHGSMICommandMarkAsynchCompletion(pCmdDr);
+                    pVGAState->pDrv->pfnCrHgsmiCommandProcess(pVGAState->pDrv, pCrCmd, cbBody);
                     break;
+                }
                 case VBOXVDMACMD_TYPE_DMA_BPB_TRANSFER:
+                else
+                {
+                    PVBOXVDMACMD_DMA_BPB_TRANSFER pTransfer = VBOXVDMACMD_BODY(pDmaCmd, VBOXVDMACMD_DMA_BPB_TRANSFER);
+                    int rc = vboxVDMACmdExecBpbTransfer(pVdma, pTransfer, sizeof (*pTransfer));
+                    Assert(0);
+                }
+                int tmpRc = VBoxSHGSMICommandComplete (pVdma->pHgsmi, pCmdDr);
+                AssertRC(tmpRc);
+                break;
+            }
+            case VBOXVDMACMD_TYPE_DMA_BPB_TRANSFER:
+            {
+                PVBOXVDMACMD_DMA_BPB_TRANSFER pTransfer = VBOXVDMACMD_BODY(pDmaCmd, VBOXVDMACMD_DMA_BPB_TRANSFER);
+                if (cbBody < sizeof (*pTransfer))
+                {
+                    AssertMsgFailed(("invalid bpb transfer buffer size!"));
+                    return VERR_INVALID_PARAMETER;
+                }
+                rc = vboxVDMACmdExecBpbTransfer(pVdma, pTransfer, sizeof (*pTransfer));
+                AssertRC(rc);
+                if (RT_SUCCESS(rc))
+                {
+                    pCmdDr->rc = VINF_SUCCESS;
+                    rc = VBoxSHGSMICommandComplete (pVdma->pHgsmi, pCmdDr);
                     AssertRC(rc);
+                    if (RT_SUCCESS(rc))
+                    {
+                        pCmd->rc = VINF_SUCCESS;
+                        rc = VBoxSHGSMICommandComplete (pVdma->pHgsmi, pCmd);
+                        AssertRC(rc);
+                        bCompleted = true;
+                    }
+                    break;
+                    rc = VINF_SUCCESS;
+                }
+                default:
+                    break;
+            }
+        }
+    }
+    return bCompleted;
+                break;
+            }
+            default:
+                break;
+        }
+    }
+    return rc;
+}
 …
 #endif
 static void vboxVDMACommandProcess(PVBOXVDMAHOST pVdma, PVBOXVDMACBUF_DR pCmd)
+static void vboxVDMACommandProcess(PVBOXVDMAHOST pVdma, PVBOXVDMACBUF_DR pCmd, uint32_t cbCmd)
+{
     PHGSMIINSTANCE pHgsmi = pVdma->pHgsmi;
 …
     if (pCmd)
+    {
         int rc = vboxVDMACrCtlPost(pVGAState, pCmd);
+        int rc = vboxVDMACrCtlPost(pVGAState, pCmd, sizeof (*pCmd));
         AssertRC(rc);
         if (RT_SUCCESS(rc))
 …
     if (pCmd)
+    {
         int rc = vboxVDMACrCtlPost(pVGAState, pCmd);
+        int rc = vboxVDMACrCtlPost(pVGAState, pCmd, sizeof (*pCmd));
         AssertRC(rc);
         if (RT_SUCCESS(rc))
 …
 void vboxVDMAControl(struct VBOXVDMAHOST *pVdma, PVBOXVDMA_CTL pCmd)
+void vboxVDMAControl(struct VBOXVDMAHOST *pVdma, PVBOXVDMA_CTL pCmd, uint32_t cbCmd)
+{
 #if 1
 …
+}
+void vboxVDMACommand(struct VBOXVDMAHOST *pVdma, PVBOXVDMACBUF_DR pCmd)
+{
+void vboxVDMACommand(struct VBOXVDMAHOST *pVdma, PVBOXVDMACBUF_DR pCmd, uint32_t cbCmd)
+{
+    int rc = VERR_NOT_IMPLEMENTED;
 #ifdef VBOX_WITH_CRHGSMI
     /* chromium commands are processed by crhomium hgcm thread independently from our internal cmd processing pipeline
      * this is why we process them specially */
+    if (vboxVDMACmdCheckCrCmd(pVdma, pCmd))
+    rc = vboxVDMACmdCheckCrCmd(pVdma, pCmd, cbCmd);
+    if (rc == VINF_SUCCESS)
         return;
+    if (RT_FAILURE(rc))
+    {
+        pCmd->rc = rc;
+        rc = VBoxSHGSMICommandComplete (pVdma->pHgsmi, pCmd);
+        AssertRC(rc);
+        return;
+    }
 #endif
 #ifndef VBOX_VDMA_WITH_WORKERTHREAD
     vboxVDMACommandProcess(pVdma, pCmd);
+    vboxVDMACommandProcess(pVdma, pCmd, cbCmd);
 #else
-    int rc = VERR_NOT_IMPLEMENTED;
 # ifdef DEBUG_misha

trunk/src/VBox/GuestHost/OpenGL/include/cr_server.h

-              r39288
+              r39603
  * NOTE: it is ALWAYS responsibility of the crVBoxServerCrHgsmiCmd to complete the command!
  * */
 extern DECLEXPORT(int32_t) crVBoxServerCrHgsmiCmd(struct VBOXVDMACMD_CHROMIUM_CMD *pCmd);
 extern DECLEXPORT(int32_t) crVBoxServerCrHgsmiCtl(struct VBOXVDMACMD_CHROMIUM_CTL *pCtl);
+extern DECLEXPORT(int32_t) crVBoxServerCrHgsmiCmd(struct VBOXVDMACMD_CHROMIUM_CMD *pCmd, uint32_t cbCmd);
+extern DECLEXPORT(int32_t) crVBoxServerCrHgsmiCtl(struct VBOXVDMACMD_CHROMIUM_CTL *pCtl, uint32_t cbCtl);
 #endif

trunk/src/VBox/HostServices/SharedOpenGL/crserver/crservice.cpp

-              r39507
+              r39603
             if (cParms == 1 && paParms[0].type == VBOX_HGCM_SVC_PARM_PTR)
+            {
                 rc = crVBoxServerCrHgsmiCmd((PVBOXVDMACMD_CHROMIUM_CMD)paParms[0].u.pointer.addr);
+                rc = crVBoxServerCrHgsmiCmd((PVBOXVDMACMD_CHROMIUM_CMD)paParms[0].u.pointer.addr, paParms[0].u.pointer.size);
                 if (VERR_NOT_SUPPORTED == rc)
+                {
 …
             Assert(cParms == 1 && paParms[0].type == VBOX_HGCM_SVC_PARM_PTR);
             if (cParms == 1 && paParms[0].type == VBOX_HGCM_SVC_PARM_PTR)
                 rc = crVBoxServerCrHgsmiCtl((PVBOXVDMACMD_CHROMIUM_CTL)paParms[0].u.pointer.addr);
+                rc = crVBoxServerCrHgsmiCtl((PVBOXVDMACMD_CHROMIUM_CTL)paParms[0].u.pointer.addr, paParms[0].u.pointer.size);
             else
                 rc = VERR_INVALID_PARAMETER;

trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server.h

-              r39288
+              r39603
 extern uint8_t* g_pvVRamBase;
+extern uint32_t g_cbVRam;
 extern HCRHGSMICMDCOMPLETION g_hCrHgsmiCompletion;
 extern PFNCRHGSMICMDCOMPLETION g_pfnCrHgsmiCompletion;
 #define VBOXCRHGSMI_PTR(_off, _t) ((_t*)(g_pvVRamBase + (_off)))
+#define VBOXCRHGSMI_PTR_SAFE(_off, _cb, _t) ((_t*)crServerCrHgsmiPtrGet(_off, _cb))
+DECLINLINE(void*) crServerCrHgsmiPtrGet(VBOXVIDEOOFFSET offBuffer, uint32_t cbBuffer)
+{
+    return ((offBuffer) + (cbBuffer) <= g_cbVRam ? VBOXCRHGSMI_PTR(offBuffer, void) : NULL);
+}
 DECLINLINE(void) crServerCrHgsmiCmdComplete(struct VBOXVDMACMD_CHROMIUM_CMD *pCmd, int cmdProcessingRc)

trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_main.c

-              r39288
+              r39603
 # include <VBox/HostServices/VBoxCrOpenGLSvc.h>
 uint8_t* g_pvVRamBase = NULL;
+uint32_t g_cbVRam = 0;
 HCRHGSMICMDCOMPLETION g_hCrHgsmiCompletion = NULL;
 PFNCRHGSMICMDCOMPLETION g_pfnCrHgsmiCompletion = NULL;
 …
  * NOTE: it is ALWAYS responsibility of the crVBoxServerCrHgsmiCmd to complete the command!
  * */
 int32_t crVBoxServerCrHgsmiCmd(struct VBOXVDMACMD_CHROMIUM_CMD *pCmd)
+int32_t crVBoxServerCrHgsmiCmd(struct VBOXVDMACMD_CHROMIUM_CMD *pCmd, uint32_t cbCmd)
+{
     int32_t rc;
     uint32_t cBuffers = pCmd->cBuffers;
     uint32_t cParams;
+    uint32_t cbHdr;
     CRVBOXHGSMIHDR *pHdr;
     uint32_t u32Function;
 …
     if (!g_pvVRamBase)
+    {
         CRASSERT(0);
+        crWarning("g_pvVRamBase is not initialized");
         crServerCrHgsmiCmdComplete(pCmd, VERR_INVALID_STATE);
         return VINF_SUCCESS;
 …
     if (!cBuffers)
+    {
         CRASSERT(0);
+        crWarning("zero buffers passed in!");
         crServerCrHgsmiCmdComplete(pCmd, VERR_INVALID_PARAMETER);
         return VINF_SUCCESS;
 …
     cParams = cBuffers-1;
+    pHdr = VBOXCRHGSMI_PTR(pCmd->aBuffers[0].offBuffer, CRVBOXHGSMIHDR);
+    cbHdr = pCmd->aBuffers[0].cbBuffer;
+    pHdr = VBOXCRHGSMI_PTR_SAFE(pCmd->aBuffers[0].offBuffer, cbHdr, CRVBOXHGSMIHDR);
+    if (!pHdr)
+    {
+        crWarning("invalid header buffer!");
+        crServerCrHgsmiCmdComplete(pCmd, VERR_INVALID_PARAMETER);
+        return VINF_SUCCESS;
+    }
+    if (cbHdr < sizeof (*pHdr))
+    {
+        crWarning("invalid header buffer size!");
+        crServerCrHgsmiCmdComplete(pCmd, VERR_INVALID_PARAMETER);
+        return VINF_SUCCESS;
+    }
     u32Function = pHdr->u32Function;
     u32ClientID = pHdr->u32ClientID;
 …
                 VBOXVDMACMD_CHROMIUM_BUFFER *pBuf = &pCmd->aBuffers[1];
                 /* Fetch parameters. */
-                uint8_t *pBuffer  = VBOXCRHGSMI_PTR(pBuf->offBuffer, uint8_t);
                 uint32_t cbBuffer = pBuf->cbBuffer;
+                CRASSERT(pBuffer);
+                uint8_t *pBuffer  = VBOXCRHGSMI_PTR_SAFE(pBuf->offBuffer, cbBuffer, uint8_t);
+                if (cbHdr < sizeof (*pFnCmd))
+                {
+                    crWarning("invalid write cmd buffer size!");
+                    rc = VERR_INVALID_PARAMETER;
+                    break;
+                }
                 CRASSERT(cbBuffer);
+                if (!pBuffer)
+                {
+                    crWarning("invalid buffer data received from guest!");
+                    rc = VERR_INVALID_PARAMETER;
+                    break;
+                }
                 rc = crVBoxServerClientGet(u32ClientID, &pClient);
 …
                 uint32_t u32InjectClientID = pFnCmd->u32ClientID;
                 VBOXVDMACMD_CHROMIUM_BUFFER *pBuf = &pCmd->aBuffers[1];
-                uint8_t *pBuffer  = VBOXCRHGSMI_PTR(pBuf->offBuffer, uint8_t);
                 uint32_t cbBuffer = pBuf->cbBuffer;
+                CRASSERT(pBuffer);
+                uint8_t *pBuffer  = VBOXCRHGSMI_PTR_SAFE(pBuf->offBuffer, cbBuffer, uint8_t);
+                if (cbHdr < sizeof (*pFnCmd))
+                {
+                    crWarning("invalid inject cmd buffer size!");
+                    rc = VERR_INVALID_PARAMETER;
+                    break;
+                }
                 CRASSERT(cbBuffer);
+                if (!pBuffer)
+                {
+                    crWarning("invalid buffer data received from guest!");
+                    rc = VERR_INVALID_PARAMETER;
+                    break;
+                }
                 rc = crVBoxServerClientGet(u32InjectClientID, &pClient);
 …
                 VBOXVDMACMD_CHROMIUM_BUFFER *pBuf = &pCmd->aBuffers[1];
                 /* Fetch parameters. */
-                uint8_t *pBuffer  = VBOXCRHGSMI_PTR(pBuf->offBuffer, uint8_t);
                 uint32_t cbBuffer = pBuf->cbBuffer;
+                uint8_t *pBuffer  = VBOXCRHGSMI_PTR_SAFE(pBuf->offBuffer, cbBuffer, uint8_t);
+                if (cbHdr < sizeof (*pFnCmd))
+                {
+                    crWarning("invalid read cmd buffer size!");
+                    rc = VERR_INVALID_PARAMETER;
+                    break;
+                }
+                if (!pBuffer)
+                {
+                    crWarning("invalid buffer data received from guest!");
+                    rc = VERR_INVALID_PARAMETER;
+                    break;
+                }
                 rc = crVBoxServerClientGet(u32ClientID, &pClient);
 …
                 /* Fetch parameters. */
-                uint8_t *pBuffer  = VBOXCRHGSMI_PTR(pBuf->offBuffer, uint8_t);
                 uint32_t cbBuffer = pBuf->cbBuffer;
+                uint8_t *pWriteback  = VBOXCRHGSMI_PTR(pWbBuf->offBuffer, uint8_t);
+                uint8_t *pBuffer  = VBOXCRHGSMI_PTR_SAFE(pBuf->offBuffer, cbBuffer, uint8_t);
                 uint32_t cbWriteback = pWbBuf->cbBuffer;
+                CRASSERT(pBuffer);
+                uint8_t *pWriteback  = VBOXCRHGSMI_PTR_SAFE(pWbBuf->offBuffer, cbWriteback, uint8_t);
+                if (cbHdr < sizeof (*pFnCmd))
+                {
+                    crWarning("invalid write_read cmd buffer size!");
+                    rc = VERR_INVALID_PARAMETER;
+                    break;
+                }
                 CRASSERT(cbBuffer);
+                if (!pBuffer)
+                {
+                    crWarning("invalid write buffer data received from guest!");
+                    rc = VERR_INVALID_PARAMETER;
+                    break;
+                }
+                CRASSERT(cbWriteback);
+                if (!pWriteback)
+                {
+                    crWarning("invalid writeback buffer data received from guest!");
+                    rc = VERR_INVALID_PARAMETER;
+                    break;
+                }
                 rc = crVBoxServerClientGet(u32ClientID, &pClient);
                 if (RT_FAILURE(rc))
 …
+}
 int32_t crVBoxServerCrHgsmiCtl(struct VBOXVDMACMD_CHROMIUM_CTL *pCtl)
+int32_t crVBoxServerCrHgsmiCtl(struct VBOXVDMACMD_CHROMIUM_CTL *pCtl, uint32_t cbCtl)
+{
     int rc = VINF_SUCCESS;
 …
+        {
             PVBOXVDMACMD_CHROMIUM_CTL_CRHGSMI_SETUP pSetup = (PVBOXVDMACMD_CHROMIUM_CTL_CRHGSMI_SETUP)pCtl;
+            g_pvVRamBase = (uint8_t*)pSetup->pvRamBase;
+            g_pvVRamBase = (uint8_t*)pSetup->pvVRamBase;
+            g_cbVRam = pSetup->cbVRam;
             rc = VINF_SUCCESS;
             break;

trunk/src/VBox/Main/include/DisplayImpl.h

-              r35638
+              r39603
 #endif
 #ifdef VBOX_WITH_CRHGSMI
     void handleCrHgsmiCommandProcess(PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CMD pCmd);
     void handleCrHgsmiControlProcess(PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CTL pCtl);
+    void handleCrHgsmiCommandProcess(PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CMD pCmd, uint32_t cbCmd);
+    void handleCrHgsmiControlProcess(PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CTL pCtl, uint32_t cbCtl);
     void handleCrHgsmiCommandCompletion(int32_t result, uint32_t u32Function, PVBOXHGCMSVCPARM pParam);
 …
 #ifdef VBOX_WITH_CRHGSMI
     static DECLCALLBACK(void)  displayCrHgsmiCommandProcess(PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CMD pCmd);
     static DECLCALLBACK(void)  displayCrHgsmiControlProcess(PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CTL pCtl);
+    static DECLCALLBACK(void)  displayCrHgsmiCommandProcess(PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CMD pCmd, uint32_t cbCmd);
+    static DECLCALLBACK(void)  displayCrHgsmiControlProcess(PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CTL pCtl, uint32_t cbCtl);
     static DECLCALLBACK(void) displayCrHgsmiCommandCompletion(int32_t result, uint32_t u32Function, PVBOXHGCMSVCPARM pParam, void *pvContext);

trunk/src/VBox/Main/src-client/DisplayImpl.cpp

-              r39391
+              r39603
+}
 void Display::handleCrHgsmiCommandProcess(PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CMD pCmd)
+void Display::handleCrHgsmiCommandProcess(PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CMD pCmd, uint32_t cbCmd)
+{
     int rc = VERR_INVALID_FUNCTION;
 …
     parm.type = VBOX_HGCM_SVC_PARM_PTR;
     parm.u.pointer.addr = pCmd;
     parm.u.pointer.size = 0;
+    parm.u.pointer.size = cbCmd;
     if (mhCrOglSvc)
 …
+}
 void Display::handleCrHgsmiControlProcess(PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CTL pCtl)
+void Display::handleCrHgsmiControlProcess(PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CTL pCtl, uint32_t cbCtl)
+{
     int rc = VERR_INVALID_FUNCTION;
 …
     parm.type = VBOX_HGCM_SVC_PARM_PTR;
     parm.u.pointer.addr = pCtl;
     parm.u.pointer.size = 0;
+    parm.u.pointer.size = cbCtl;
     if (mhCrOglSvc)
 …
 DECLCALLBACK(void) Display::displayCrHgsmiCommandProcess(PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CMD pCmd)
+DECLCALLBACK(void) Display::displayCrHgsmiCommandProcess(PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CMD pCmd, uint32_t cbCmd)
+{
     PDRVMAINDISPLAY pDrv = PDMIDISPLAYCONNECTOR_2_MAINDISPLAY(pInterface);
     pDrv->pDisplay->handleCrHgsmiCommandProcess(pInterface, pCmd);
+}
 DECLCALLBACK(void) Display::displayCrHgsmiControlProcess(PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CTL pCmd)
+    pDrv->pDisplay->handleCrHgsmiCommandProcess(pInterface, pCmd, cbCmd);
+}
+DECLCALLBACK(void) Display::displayCrHgsmiControlProcess(PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CTL pCmd, uint32_t cbCmd)
+{
     PDRVMAINDISPLAY pDrv = PDMIDISPLAYCONNECTOR_2_MAINDISPLAY(pInterface);
     pDrv->pDisplay->handleCrHgsmiControlProcess(pInterface, pCmd);
+    pDrv->pDisplay->handleCrHgsmiControlProcess(pInterface, pCmd, cbCmd);
+}

Note: See TracChangeset for help on using the changeset viewer.

Download in other formats:

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette