From: ChenLiang <chenlian...@huawei.com> xbzrle_encode_buffer checks the value in the vm ram repeatedly. It is risk if runs xbzrle_encode_buffer on changing data. And it is not necessary.
Reported-by: Dr. David Alan Gilbert <dgilb...@redhat.com> Signed-off-by: ChenLiang <chenlian...@huawei.com> Signed-off-by: Gonglei <arei.gong...@huawei.com> --- xbzrle.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/xbzrle.c b/xbzrle.c index fbcb35d..92cccd7 100644 --- a/xbzrle.c +++ b/xbzrle.c @@ -27,9 +27,10 @@ int xbzrle_encode_buffer(uint8_t *old_buf, uint8_t *new_buf, int slen, uint8_t *dst, int dlen) { uint32_t zrun_len = 0, nzrun_len = 0; - int d = 0, i = 0; + int d = 0, i = 0, j; long res, xor; uint8_t *nzrun_start = NULL; + uint8_t *xor_ptr = (uint8_t *)(&xor); g_assert(!(((uintptr_t)old_buf | (uintptr_t)new_buf | slen) % sizeof(long))); @@ -82,6 +83,8 @@ int xbzrle_encode_buffer(uint8_t *old_buf, uint8_t *new_buf, int slen, if (d + 2 > dlen) { return -1; } + i++; + nzrun_len++; /* not aligned to sizeof(long) */ res = (slen - i) % sizeof(long); while (res && old_buf[i] != new_buf[i]) { @@ -98,11 +101,16 @@ int xbzrle_encode_buffer(uint8_t *old_buf, uint8_t *new_buf, int slen, xor = *(long *)(old_buf + i) ^ *(long *)(new_buf + i); if ((xor - mask) & ~xor & (mask << 7)) { /* found the end of an nzrun within the current long */ - while (old_buf[i] != new_buf[i]) { - nzrun_len++; - i++; + for (j = 0; j < sizeof(long); j++) { + if (0 == xor_ptr[j]) { + break; + } + } + i += j; + nzrun_len += j; + if (j != sizeof(long)) { + break; } - break; } else { i += sizeof(long); nzrun_len += sizeof(long); @@ -118,6 +126,8 @@ int xbzrle_encode_buffer(uint8_t *old_buf, uint8_t *new_buf, int slen, memcpy(dst + d, nzrun_start, nzrun_len); d += nzrun_len; nzrun_len = 0; + i++; + zrun_len++; } return d; -- 1.7.12.4