Index: /trunk/include/VBox/VBoxVideo.h =================================================================== --- /trunk/include/VBox/VBoxVideo.h (revision 39602) +++ /trunk/include/VBox/VBoxVideo.h (revision 39603) @@ -1135,4 +1135,6 @@ } +#define VBoxSHGSMIBufferHeaderSize() (sizeof (VBOXSHGSMIHEADER)) + DECLINLINE(PVBOXSHGSMIHEADER) VBoxSHGSMIBufferHeader (const void *pvData) { @@ -1268,4 +1270,5 @@ #define VBOXVDMACMD_SIZE(_t) (VBOXVDMACMD_SIZE_FROMBODYSIZE(sizeof (_t))) #define VBOXVDMACMD_BODY(_pCmd, _t) ( (_t*)(((uint8_t*)(_pCmd)) + VBOXVDMACMD_HEADER_SIZE()) ) +#define VBOXVDMACMD_BODY_SIZE(_s) ( (_s) - VBOXVDMACMD_HEADER_SIZE() ) #define VBOXVDMACMD_FROM_BODY(_pCmd) ( (VBOXVDMACMD*)(((uint8_t*)(_pCmd)) - VBOXVDMACMD_HEADER_SIZE()) ) #define VBOXVDMACMD_BODY_FIELD_OFFSET(_ot, _t, _f) ( (_ot)(uintptr_t)( VBOXVDMACMD_BODY(0, uint8_t) + RT_OFFSETOF(_t, _f) ) ) @@ -1403,7 +1406,8 @@ union { - void *pvRamBase; + void *pvVRamBase; uint64_t uAlignment; }; + uint64_t cbVRam; } VBOXVDMACMD_CHROMIUM_CTL_CRHGSMI_SETUP, *PVBOXVDMACMD_CHROMIUM_CTL_CRHGSMI_SETUP; Index: /trunk/include/VBox/vmm/pdmifs.h =================================================================== --- /trunk/include/VBox/vmm/pdmifs.h (revision 39602) +++ /trunk/include/VBox/vmm/pdmifs.h (revision 39603) @@ -715,5 +715,5 @@ * @thread The emulation thread. */ - DECLR3CALLBACKMEMBER(void, pfnCrHgsmiCommandProcess, (PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CMD pCmd)); + DECLR3CALLBACKMEMBER(void, pfnCrHgsmiCommandProcess, (PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CMD pCmd, uint32_t cbCmd)); /** @@ -724,5 +724,5 @@ * @thread The emulation thread. */ - DECLR3CALLBACKMEMBER(void, pfnCrHgsmiControlProcess, (PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CTL pCtl)); + DECLR3CALLBACKMEMBER(void, pfnCrHgsmiControlProcess, (PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CTL pCtl, uint32_t cbCtl)); Index: /trunk/src/VBox/Devices/Graphics/DevVGA.h =================================================================== --- /trunk/src/VBox/Devices/Graphics/DevVGA.h (revision 39602) +++ /trunk/src/VBox/Devices/Graphics/DevVGA.h (revision 39603) @@ -512,6 +512,6 @@ int vboxVDMAConstruct(PVGASTATE pVGAState, uint32_t cPipeElements); int vboxVDMADestruct(PVBOXVDMAHOST pVdma); -void vboxVDMAControl(PVBOXVDMAHOST pVdma, PVBOXVDMA_CTL pCmd); -void vboxVDMACommand(PVBOXVDMAHOST pVdma, PVBOXVDMACBUF_DR pCmd); +void vboxVDMAControl(PVBOXVDMAHOST pVdma, PVBOXVDMA_CTL pCmd, uint32_t cbCmd); +void vboxVDMACommand(PVBOXVDMAHOST pVdma, PVBOXVDMACBUF_DR pCmd, uint32_t cbCmd); int vboxVDMASaveStateExecPrep(struct VBOXVDMAHOST *pVdma, PSSMHANDLE pSSM); int vboxVDMASaveStateExecDone(struct VBOXVDMAHOST *pVdma, PSSMHANDLE pSSM); Index: /trunk/src/VBox/Devices/Graphics/DevVGA_VBVA.cpp =================================================================== --- /trunk/src/VBox/Devices/Graphics/DevVGA_VBVA.cpp (revision 39602) +++ /trunk/src/VBox/Devices/Graphics/DevVGA_VBVA.cpp (revision 39603) @@ -1657,6 +1657,11 @@ case VBVA_VDMA_CMD: { + if (cbBuffer < VBoxSHGSMIBufferHeaderSize() + sizeof (VBOXVDMACBUF_DR)) + { + rc = VERR_INVALID_PARAMETER; + break; + } PVBOXVDMACBUF_DR pCmd = (PVBOXVDMACBUF_DR)VBoxSHGSMIBufferData ((PVBOXSHGSMIHEADER)pvBuffer); - vboxVDMACommand(pVGAState->pVdma, pCmd); + vboxVDMACommand(pVGAState->pVdma, pCmd, cbBuffer - VBoxSHGSMIBufferHeaderSize()); rc = VINF_SUCCESS; break; @@ -1664,6 +1669,11 @@ case VBVA_VDMA_CTL: { + if (cbBuffer < VBoxSHGSMIBufferHeaderSize() + sizeof (VBOXVDMA_CTL)) + { + rc = VERR_INVALID_PARAMETER; + break; + } PVBOXVDMA_CTL pCmd = (PVBOXVDMA_CTL)VBoxSHGSMIBufferData ((PVBOXSHGSMIHEADER)pvBuffer); - vboxVDMAControl(pVGAState->pVdma, pCmd); + vboxVDMAControl(pVGAState->pVdma, pCmd, cbBuffer - VBoxSHGSMIBufferHeaderSize()); rc = VINF_SUCCESS; break; Index: /trunk/src/VBox/Devices/Graphics/DevVGA_VDMA.cpp =================================================================== --- /trunk/src/VBox/Devices/Graphics/DevVGA_VDMA.cpp (revision 39602) +++ /trunk/src/VBox/Devices/Graphics/DevVGA_VDMA.cpp (revision 39603) @@ -157,5 +157,5 @@ -static int vboxVDMACrCtlPostAsync (PVGASTATE pVGAState, PVBOXVDMACMD_CHROMIUM_CTL pCmd, PFNVBOXVDMACRCTL_CALLBACK pfnCompletion, void *pvCompletion) +static int vboxVDMACrCtlPostAsync (PVGASTATE pVGAState, PVBOXVDMACMD_CHROMIUM_CTL pCmd, uint32_t cbCmd, PFNVBOXVDMACRCTL_CALLBACK pfnCompletion, void *pvCompletion) { if (pVGAState->pDrv->pfnCrHgsmiControlProcess) @@ -164,5 +164,5 @@ pHdr->pfnCompletion = pfnCompletion; pHdr->pvCompletion = pvCompletion; - pVGAState->pDrv->pfnCrHgsmiControlProcess(pVGAState->pDrv, pCmd); + pVGAState->pDrv->pfnCrHgsmiControlProcess(pVGAState->pDrv, pCmd, cbCmd); return VINF_SUCCESS; } @@ -173,5 +173,5 @@ } -static int vboxVDMACrCtlPost(PVGASTATE pVGAState, PVBOXVDMACMD_CHROMIUM_CTL pCmd) +static int vboxVDMACrCtlPost(PVGASTATE pVGAState, PVBOXVDMACMD_CHROMIUM_CTL pCmd, uint32_t cbCmd) { RTSEMEVENT hComplEvent; @@ -180,5 +180,5 @@ if(RT_SUCCESS(rc)) { - rc = vboxVDMACrCtlPostAsync (pVGAState, pCmd, vboxVDMACrCtlCbSetEvent, (void*)hComplEvent); + rc = vboxVDMACrCtlPostAsync (pVGAState, pCmd, cbCmd, vboxVDMACrCtlCbSetEvent, (void*)hComplEvent); #ifdef DEBUG_misha AssertRC(rc); @@ -209,6 +209,7 @@ { PVGASTATE pVGAState = pVdma->pVGAState; - pCmd->pvRamBase = pVGAState->vram_ptrR3; - int rc = vboxVDMACrCtlPost(pVGAState, &pCmd->Hdr); + pCmd->pvVRamBase = pVGAState->vram_ptrR3; + pCmd->cbVRam = pVGAState->vram_size; + int rc = vboxVDMACrCtlPost(pVGAState, &pCmd->Hdr, sizeof (*pCmd)); AssertRC(rc); if (RT_SUCCESS(rc)) @@ -225,71 +226,86 @@ /* check if this is external cmd to be passed to chromium backend */ -static bool vboxVDMACmdCheckCrCmd(struct VBOXVDMAHOST *pVdma, PVBOXVDMACBUF_DR pCmd) -{ - PVBOXVDMACMD pDmaCmd; +static int vboxVDMACmdCheckCrCmd(struct VBOXVDMAHOST *pVdma, PVBOXVDMACBUF_DR pCmdDr, uint32_t cbCmdDr) +{ + PVBOXVDMACMD pDmaCmd = NULL; + uint32_t cbDmaCmd = 0; uint8_t * pvRam = pVdma->pVGAState->vram_ptrR3; - bool bCompleted = false; - - if (pCmd->fFlags & VBOXVDMACBUF_FLAG_BUF_FOLLOWS_DR) - pDmaCmd = VBOXVDMACBUF_DR_TAIL(pCmd, VBOXVDMACMD); - else - pDmaCmd = NULL; + int rc = VINF_NOT_SUPPORTED; + + if (pCmdDr->fFlags & VBOXVDMACBUF_FLAG_BUF_FOLLOWS_DR) + { + if (cbCmdDr < sizeof (*pCmdDr) + VBOXVDMACMD_HEADER_SIZE()) + { + AssertMsgFailed(("invalid buffer data!")); + return VERR_INVALID_PARAMETER; + } + + cbDmaCmd = pCmdDr->cbBuf; + if (cbDmaCmd < cbCmdDr - sizeof (*pCmdDr) - VBOXVDMACMD_HEADER_SIZE()) + { + AssertMsgFailed(("invalid command buffer data!")); + return VERR_INVALID_PARAMETER; + } + + pDmaCmd = VBOXVDMACBUF_DR_TAIL(pCmdDr, VBOXVDMACMD); + } if (pDmaCmd) { - uint32_t cbCmd = pCmd->cbBuf; - Assert(cbCmd >= VBOXVDMACMD_HEADER_SIZE()); - - if (cbCmd >= VBOXVDMACMD_HEADER_SIZE()) - { - switch (pDmaCmd->enmType) - { - case VBOXVDMACMD_TYPE_CHROMIUM_CMD: + Assert(cbDmaCmd >= VBOXVDMACMD_HEADER_SIZE()); + uint32_t cbBody = VBOXVDMACMD_BODY_SIZE(cbDmaCmd); + + switch (pDmaCmd->enmType) + { + case VBOXVDMACMD_TYPE_CHROMIUM_CMD: + { + PVBOXVDMACMD_CHROMIUM_CMD pCrCmd = VBOXVDMACMD_BODY(pDmaCmd, VBOXVDMACMD_CHROMIUM_CMD); + if (cbBody < sizeof (*pCrCmd)) { - PVBOXVDMACMD_CHROMIUM_CMD pCrCmd = VBOXVDMACMD_BODY(pDmaCmd, VBOXVDMACMD_CHROMIUM_CMD); - PVGASTATE pVGAState = pVdma->pVGAState; - bCompleted = true; - if (pVGAState->pDrv->pfnCrHgsmiCommandProcess) - { - VBoxSHGSMICommandMarkAsynchCompletion(pCmd); - pVGAState->pDrv->pfnCrHgsmiCommandProcess(pVGAState->pDrv, pCrCmd); - break; - } - else - { - Assert(0); - } - - int tmpRc = VBoxSHGSMICommandComplete (pVdma->pHgsmi, pCmd); - AssertRC(tmpRc); -// uint32_t cBufs = pCrCmd->cBuffers; -// for (uint32_t i = 0; i < cBufs; ++i) -// { -// PVBOXVDMACMD_CHROMIUM_BUFFER pBuf = &pCrCmd->aBuffers[i]; -// void *pvBuffer = pvRam + pBuf->offBuffer; -// uint32_t cbBuffer = pBuf->cbBuffer; -// } + AssertMsgFailed(("invalid chromium command buffer size!")); + return VERR_INVALID_PARAMETER; + } + PVGASTATE pVGAState = pVdma->pVGAState; + rc = VINF_SUCCESS; + if (pVGAState->pDrv->pfnCrHgsmiCommandProcess) + { + VBoxSHGSMICommandMarkAsynchCompletion(pCmdDr); + pVGAState->pDrv->pfnCrHgsmiCommandProcess(pVGAState->pDrv, pCrCmd, cbBody); break; } - case VBOXVDMACMD_TYPE_DMA_BPB_TRANSFER: + else { - PVBOXVDMACMD_DMA_BPB_TRANSFER pTransfer = VBOXVDMACMD_BODY(pDmaCmd, VBOXVDMACMD_DMA_BPB_TRANSFER); - int rc = vboxVDMACmdExecBpbTransfer(pVdma, pTransfer, sizeof (*pTransfer)); + Assert(0); + } + + int tmpRc = VBoxSHGSMICommandComplete (pVdma->pHgsmi, pCmdDr); + AssertRC(tmpRc); + break; + } + case VBOXVDMACMD_TYPE_DMA_BPB_TRANSFER: + { + PVBOXVDMACMD_DMA_BPB_TRANSFER pTransfer = VBOXVDMACMD_BODY(pDmaCmd, VBOXVDMACMD_DMA_BPB_TRANSFER); + if (cbBody < sizeof (*pTransfer)) + { + AssertMsgFailed(("invalid bpb transfer buffer size!")); + return VERR_INVALID_PARAMETER; + } + + rc = vboxVDMACmdExecBpbTransfer(pVdma, pTransfer, sizeof (*pTransfer)); + AssertRC(rc); + if (RT_SUCCESS(rc)) + { + pCmdDr->rc = VINF_SUCCESS; + rc = VBoxSHGSMICommandComplete (pVdma->pHgsmi, pCmdDr); AssertRC(rc); - if (RT_SUCCESS(rc)) - { - pCmd->rc = VINF_SUCCESS; - rc = VBoxSHGSMICommandComplete (pVdma->pHgsmi, pCmd); - AssertRC(rc); - bCompleted = true; - } - break; + rc = VINF_SUCCESS; } - default: - break; - } - } - } - return bCompleted; + break; + } + default: + break; + } + } + return rc; } @@ -920,5 +936,5 @@ #endif -static void vboxVDMACommandProcess(PVBOXVDMAHOST pVdma, PVBOXVDMACBUF_DR pCmd) +static void vboxVDMACommandProcess(PVBOXVDMAHOST pVdma, PVBOXVDMACBUF_DR pCmd, uint32_t cbCmd) { PHGSMIINSTANCE pHgsmi = pVdma->pHgsmi; @@ -1171,5 +1187,5 @@ if (pCmd) { - int rc = vboxVDMACrCtlPost(pVGAState, pCmd); + int rc = vboxVDMACrCtlPost(pVGAState, pCmd, sizeof (*pCmd)); AssertRC(rc); if (RT_SUCCESS(rc)) @@ -1195,5 +1211,5 @@ if (pCmd) { - int rc = vboxVDMACrCtlPost(pVGAState, pCmd); + int rc = vboxVDMACrCtlPost(pVGAState, pCmd, sizeof (*pCmd)); AssertRC(rc); if (RT_SUCCESS(rc)) @@ -1211,5 +1227,5 @@ -void vboxVDMAControl(struct VBOXVDMAHOST *pVdma, PVBOXVDMA_CTL pCmd) +void vboxVDMAControl(struct VBOXVDMAHOST *pVdma, PVBOXVDMA_CTL pCmd, uint32_t cbCmd) { #if 1 @@ -1264,17 +1280,27 @@ } -void vboxVDMACommand(struct VBOXVDMAHOST *pVdma, PVBOXVDMACBUF_DR pCmd) -{ +void vboxVDMACommand(struct VBOXVDMAHOST *pVdma, PVBOXVDMACBUF_DR pCmd, uint32_t cbCmd) +{ + int rc = VERR_NOT_IMPLEMENTED; + #ifdef VBOX_WITH_CRHGSMI /* chromium commands are processed by crhomium hgcm thread independently from our internal cmd processing pipeline * this is why we process them specially */ - if (vboxVDMACmdCheckCrCmd(pVdma, pCmd)) + rc = vboxVDMACmdCheckCrCmd(pVdma, pCmd, cbCmd); + if (rc == VINF_SUCCESS) return; + + if (RT_FAILURE(rc)) + { + pCmd->rc = rc; + rc = VBoxSHGSMICommandComplete (pVdma->pHgsmi, pCmd); + AssertRC(rc); + return; + } #endif #ifndef VBOX_VDMA_WITH_WORKERTHREAD - vboxVDMACommandProcess(pVdma, pCmd); + vboxVDMACommandProcess(pVdma, pCmd, cbCmd); #else - int rc = VERR_NOT_IMPLEMENTED; # ifdef DEBUG_misha Index: /trunk/src/VBox/GuestHost/OpenGL/include/cr_server.h =================================================================== --- /trunk/src/VBox/GuestHost/OpenGL/include/cr_server.h (revision 39602) +++ /trunk/src/VBox/GuestHost/OpenGL/include/cr_server.h (revision 39603) @@ -315,6 +315,6 @@ * NOTE: it is ALWAYS responsibility of the crVBoxServerCrHgsmiCmd to complete the command! * */ -extern DECLEXPORT(int32_t) crVBoxServerCrHgsmiCmd(struct VBOXVDMACMD_CHROMIUM_CMD *pCmd); -extern DECLEXPORT(int32_t) crVBoxServerCrHgsmiCtl(struct VBOXVDMACMD_CHROMIUM_CTL *pCtl); +extern DECLEXPORT(int32_t) crVBoxServerCrHgsmiCmd(struct VBOXVDMACMD_CHROMIUM_CMD *pCmd, uint32_t cbCmd); +extern DECLEXPORT(int32_t) crVBoxServerCrHgsmiCtl(struct VBOXVDMACMD_CHROMIUM_CTL *pCtl, uint32_t cbCtl); #endif Index: /trunk/src/VBox/HostServices/SharedOpenGL/crserver/crservice.cpp =================================================================== --- /trunk/src/VBox/HostServices/SharedOpenGL/crserver/crservice.cpp (revision 39602) +++ /trunk/src/VBox/HostServices/SharedOpenGL/crserver/crservice.cpp (revision 39603) @@ -939,5 +939,5 @@ if (cParms == 1 && paParms[0].type == VBOX_HGCM_SVC_PARM_PTR) { - rc = crVBoxServerCrHgsmiCmd((PVBOXVDMACMD_CHROMIUM_CMD)paParms[0].u.pointer.addr); + rc = crVBoxServerCrHgsmiCmd((PVBOXVDMACMD_CHROMIUM_CMD)paParms[0].u.pointer.addr, paParms[0].u.pointer.size); if (VERR_NOT_SUPPORTED == rc) { @@ -952,5 +952,5 @@ Assert(cParms == 1 && paParms[0].type == VBOX_HGCM_SVC_PARM_PTR); if (cParms == 1 && paParms[0].type == VBOX_HGCM_SVC_PARM_PTR) - rc = crVBoxServerCrHgsmiCtl((PVBOXVDMACMD_CHROMIUM_CTL)paParms[0].u.pointer.addr); + rc = crVBoxServerCrHgsmiCtl((PVBOXVDMACMD_CHROMIUM_CTL)paParms[0].u.pointer.addr, paParms[0].u.pointer.size); else rc = VERR_INVALID_PARAMETER; Index: /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server.h =================================================================== --- /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server.h (revision 39602) +++ /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server.h (revision 39603) @@ -20,8 +20,15 @@ extern uint8_t* g_pvVRamBase; +extern uint32_t g_cbVRam; extern HCRHGSMICMDCOMPLETION g_hCrHgsmiCompletion; extern PFNCRHGSMICMDCOMPLETION g_pfnCrHgsmiCompletion; #define VBOXCRHGSMI_PTR(_off, _t) ((_t*)(g_pvVRamBase + (_off))) +#define VBOXCRHGSMI_PTR_SAFE(_off, _cb, _t) ((_t*)crServerCrHgsmiPtrGet(_off, _cb)) + +DECLINLINE(void*) crServerCrHgsmiPtrGet(VBOXVIDEOOFFSET offBuffer, uint32_t cbBuffer) +{ + return ((offBuffer) + (cbBuffer) <= g_cbVRam ? VBOXCRHGSMI_PTR(offBuffer, void) : NULL); +} DECLINLINE(void) crServerCrHgsmiCmdComplete(struct VBOXVDMACMD_CHROMIUM_CMD *pCmd, int cmdProcessingRc) Index: /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_main.c =================================================================== --- /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_main.c (revision 39602) +++ /trunk/src/VBox/HostServices/SharedOpenGL/crserverlib/server_main.c (revision 39603) @@ -33,4 +33,5 @@ # include uint8_t* g_pvVRamBase = NULL; +uint32_t g_cbVRam = 0; HCRHGSMICMDCOMPLETION g_hCrHgsmiCompletion = NULL; PFNCRHGSMICMDCOMPLETION g_pfnCrHgsmiCompletion = NULL; @@ -1353,9 +1354,10 @@ * NOTE: it is ALWAYS responsibility of the crVBoxServerCrHgsmiCmd to complete the command! * */ -int32_t crVBoxServerCrHgsmiCmd(struct VBOXVDMACMD_CHROMIUM_CMD *pCmd) +int32_t crVBoxServerCrHgsmiCmd(struct VBOXVDMACMD_CHROMIUM_CMD *pCmd, uint32_t cbCmd) { int32_t rc; uint32_t cBuffers = pCmd->cBuffers; uint32_t cParams; + uint32_t cbHdr; CRVBOXHGSMIHDR *pHdr; uint32_t u32Function; @@ -1365,5 +1367,5 @@ if (!g_pvVRamBase) { - CRASSERT(0); + crWarning("g_pvVRamBase is not initialized"); crServerCrHgsmiCmdComplete(pCmd, VERR_INVALID_STATE); return VINF_SUCCESS; @@ -1372,5 +1374,5 @@ if (!cBuffers) { - CRASSERT(0); + crWarning("zero buffers passed in!"); crServerCrHgsmiCmdComplete(pCmd, VERR_INVALID_PARAMETER); return VINF_SUCCESS; @@ -1379,5 +1381,20 @@ cParams = cBuffers-1; - pHdr = VBOXCRHGSMI_PTR(pCmd->aBuffers[0].offBuffer, CRVBOXHGSMIHDR); + cbHdr = pCmd->aBuffers[0].cbBuffer; + pHdr = VBOXCRHGSMI_PTR_SAFE(pCmd->aBuffers[0].offBuffer, cbHdr, CRVBOXHGSMIHDR); + if (!pHdr) + { + crWarning("invalid header buffer!"); + crServerCrHgsmiCmdComplete(pCmd, VERR_INVALID_PARAMETER); + return VINF_SUCCESS; + } + + if (cbHdr < sizeof (*pHdr)) + { + crWarning("invalid header buffer size!"); + crServerCrHgsmiCmdComplete(pCmd, VERR_INVALID_PARAMETER); + return VINF_SUCCESS; + } + u32Function = pHdr->u32Function; u32ClientID = pHdr->u32ClientID; @@ -1395,9 +1412,21 @@ VBOXVDMACMD_CHROMIUM_BUFFER *pBuf = &pCmd->aBuffers[1]; /* Fetch parameters. */ - uint8_t *pBuffer = VBOXCRHGSMI_PTR(pBuf->offBuffer, uint8_t); uint32_t cbBuffer = pBuf->cbBuffer; - - CRASSERT(pBuffer); + uint8_t *pBuffer = VBOXCRHGSMI_PTR_SAFE(pBuf->offBuffer, cbBuffer, uint8_t); + + if (cbHdr < sizeof (*pFnCmd)) + { + crWarning("invalid write cmd buffer size!"); + rc = VERR_INVALID_PARAMETER; + break; + } + CRASSERT(cbBuffer); + if (!pBuffer) + { + crWarning("invalid buffer data received from guest!"); + rc = VERR_INVALID_PARAMETER; + break; + } rc = crVBoxServerClientGet(u32ClientID, &pClient); @@ -1438,9 +1467,21 @@ uint32_t u32InjectClientID = pFnCmd->u32ClientID; VBOXVDMACMD_CHROMIUM_BUFFER *pBuf = &pCmd->aBuffers[1]; - uint8_t *pBuffer = VBOXCRHGSMI_PTR(pBuf->offBuffer, uint8_t); uint32_t cbBuffer = pBuf->cbBuffer; - - CRASSERT(pBuffer); + uint8_t *pBuffer = VBOXCRHGSMI_PTR_SAFE(pBuf->offBuffer, cbBuffer, uint8_t); + + if (cbHdr < sizeof (*pFnCmd)) + { + crWarning("invalid inject cmd buffer size!"); + rc = VERR_INVALID_PARAMETER; + break; + } + CRASSERT(cbBuffer); + if (!pBuffer) + { + crWarning("invalid buffer data received from guest!"); + rc = VERR_INVALID_PARAMETER; + break; + } rc = crVBoxServerClientGet(u32InjectClientID, &pClient); @@ -1477,6 +1518,21 @@ VBOXVDMACMD_CHROMIUM_BUFFER *pBuf = &pCmd->aBuffers[1]; /* Fetch parameters. */ - uint8_t *pBuffer = VBOXCRHGSMI_PTR(pBuf->offBuffer, uint8_t); uint32_t cbBuffer = pBuf->cbBuffer; + uint8_t *pBuffer = VBOXCRHGSMI_PTR_SAFE(pBuf->offBuffer, cbBuffer, uint8_t); + + if (cbHdr < sizeof (*pFnCmd)) + { + crWarning("invalid read cmd buffer size!"); + rc = VERR_INVALID_PARAMETER; + break; + } + + + if (!pBuffer) + { + crWarning("invalid buffer data received from guest!"); + rc = VERR_INVALID_PARAMETER; + break; + } rc = crVBoxServerClientGet(u32ClientID, &pClient); @@ -1518,13 +1574,33 @@ /* Fetch parameters. */ - uint8_t *pBuffer = VBOXCRHGSMI_PTR(pBuf->offBuffer, uint8_t); uint32_t cbBuffer = pBuf->cbBuffer; - - uint8_t *pWriteback = VBOXCRHGSMI_PTR(pWbBuf->offBuffer, uint8_t); + uint8_t *pBuffer = VBOXCRHGSMI_PTR_SAFE(pBuf->offBuffer, cbBuffer, uint8_t); + uint32_t cbWriteback = pWbBuf->cbBuffer; - - CRASSERT(pBuffer); + uint8_t *pWriteback = VBOXCRHGSMI_PTR_SAFE(pWbBuf->offBuffer, cbWriteback, uint8_t); + + if (cbHdr < sizeof (*pFnCmd)) + { + crWarning("invalid write_read cmd buffer size!"); + rc = VERR_INVALID_PARAMETER; + break; + } + + CRASSERT(cbBuffer); - + if (!pBuffer) + { + crWarning("invalid write buffer data received from guest!"); + rc = VERR_INVALID_PARAMETER; + break; + } + + CRASSERT(cbWriteback); + if (!pWriteback) + { + crWarning("invalid writeback buffer data received from guest!"); + rc = VERR_INVALID_PARAMETER; + break; + } rc = crVBoxServerClientGet(u32ClientID, &pClient); if (RT_FAILURE(rc)) @@ -1582,5 +1658,5 @@ } -int32_t crVBoxServerCrHgsmiCtl(struct VBOXVDMACMD_CHROMIUM_CTL *pCtl) +int32_t crVBoxServerCrHgsmiCtl(struct VBOXVDMACMD_CHROMIUM_CTL *pCtl, uint32_t cbCtl) { int rc = VINF_SUCCESS; @@ -1591,5 +1667,6 @@ { PVBOXVDMACMD_CHROMIUM_CTL_CRHGSMI_SETUP pSetup = (PVBOXVDMACMD_CHROMIUM_CTL_CRHGSMI_SETUP)pCtl; - g_pvVRamBase = (uint8_t*)pSetup->pvRamBase; + g_pvVRamBase = (uint8_t*)pSetup->pvVRamBase; + g_cbVRam = pSetup->cbVRam; rc = VINF_SUCCESS; break; Index: /trunk/src/VBox/Main/include/DisplayImpl.h =================================================================== --- /trunk/src/VBox/Main/include/DisplayImpl.h (revision 39602) +++ /trunk/src/VBox/Main/include/DisplayImpl.h (revision 39603) @@ -131,6 +131,6 @@ #endif #ifdef VBOX_WITH_CRHGSMI - void handleCrHgsmiCommandProcess(PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CMD pCmd); - void handleCrHgsmiControlProcess(PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CTL pCtl); + void handleCrHgsmiCommandProcess(PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CMD pCmd, uint32_t cbCmd); + void handleCrHgsmiControlProcess(PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CTL pCtl, uint32_t cbCtl); void handleCrHgsmiCommandCompletion(int32_t result, uint32_t u32Function, PVBOXHGCMSVCPARM pParam); @@ -202,6 +202,6 @@ #ifdef VBOX_WITH_CRHGSMI - static DECLCALLBACK(void) displayCrHgsmiCommandProcess(PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CMD pCmd); - static DECLCALLBACK(void) displayCrHgsmiControlProcess(PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CTL pCtl); + static DECLCALLBACK(void) displayCrHgsmiCommandProcess(PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CMD pCmd, uint32_t cbCmd); + static DECLCALLBACK(void) displayCrHgsmiControlProcess(PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CTL pCtl, uint32_t cbCtl); static DECLCALLBACK(void) displayCrHgsmiCommandCompletion(int32_t result, uint32_t u32Function, PVBOXHGCMSVCPARM pParam, void *pvContext); Index: /trunk/src/VBox/Main/src-client/DisplayImpl.cpp =================================================================== --- /trunk/src/VBox/Main/src-client/DisplayImpl.cpp (revision 39602) +++ /trunk/src/VBox/Main/src-client/DisplayImpl.cpp (revision 39603) @@ -3497,5 +3497,5 @@ } -void Display::handleCrHgsmiCommandProcess(PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CMD pCmd) +void Display::handleCrHgsmiCommandProcess(PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CMD pCmd, uint32_t cbCmd) { int rc = VERR_INVALID_FUNCTION; @@ -3503,5 +3503,5 @@ parm.type = VBOX_HGCM_SVC_PARM_PTR; parm.u.pointer.addr = pCmd; - parm.u.pointer.size = 0; + parm.u.pointer.size = cbCmd; if (mhCrOglSvc) @@ -3525,5 +3525,5 @@ } -void Display::handleCrHgsmiControlProcess(PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CTL pCtl) +void Display::handleCrHgsmiControlProcess(PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CTL pCtl, uint32_t cbCtl) { int rc = VERR_INVALID_FUNCTION; @@ -3531,5 +3531,5 @@ parm.type = VBOX_HGCM_SVC_PARM_PTR; parm.u.pointer.addr = pCtl; - parm.u.pointer.size = 0; + parm.u.pointer.size = cbCtl; if (mhCrOglSvc) @@ -3552,16 +3552,16 @@ -DECLCALLBACK(void) Display::displayCrHgsmiCommandProcess(PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CMD pCmd) +DECLCALLBACK(void) Display::displayCrHgsmiCommandProcess(PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CMD pCmd, uint32_t cbCmd) { PDRVMAINDISPLAY pDrv = PDMIDISPLAYCONNECTOR_2_MAINDISPLAY(pInterface); - pDrv->pDisplay->handleCrHgsmiCommandProcess(pInterface, pCmd); -} - -DECLCALLBACK(void) Display::displayCrHgsmiControlProcess(PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CTL pCmd) + pDrv->pDisplay->handleCrHgsmiCommandProcess(pInterface, pCmd, cbCmd); +} + +DECLCALLBACK(void) Display::displayCrHgsmiControlProcess(PPDMIDISPLAYCONNECTOR pInterface, PVBOXVDMACMD_CHROMIUM_CTL pCmd, uint32_t cbCmd) { PDRVMAINDISPLAY pDrv = PDMIDISPLAYCONNECTOR_2_MAINDISPLAY(pInterface); - pDrv->pDisplay->handleCrHgsmiControlProcess(pInterface, pCmd); + pDrv->pDisplay->handleCrHgsmiControlProcess(pInterface, pCmd, cbCmd); }