pxcloud/spice-common
5
0
Fork 0
mirror of https://gitlab.uni-freiburg.de/opensourcevdi/spice-common synced 2026-01-01 04:11:22 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

quic: Check image size in quic_decode_begin

Browse Source 
Avoid some overflow in code due to images too big or
negative numbers.

Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
Acked-by: Uri Lublin <uril@redhat.com>
This commit is contained in:
Frediano Ziglio 2020-04-29 15:10:24 +01:00
parent 762e0abae3
commit 404d74782c
1 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
common/quic.c
View File

@ -56,6 +56,9 @@ typedef uint8_t BYTE;
#define MINwminext 1
#define MAXwminext 100000000
/* Maximum image size in pixels, mainly to avoid possible integer overflows */
#define SPICE_MAX_IMAGE_SIZE (512 * 1024 * 1024 - 1)
typedef struct QuicFamily {
unsigned int nGRcodewords[MAXNUMCODES]; /* indexed by code number, contains number of
unmodified GR codewords in the code */
@ -1165,6 +1168,16 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w
height = encoder->io_word;
decode_eat32bits(encoder);
if (width <= 0 || height <= 0) {
encoder->usr->warn(encoder->usr, "invalid size\n");
return QUIC_ERROR;
}
/* avoid too big images */
if ((uint64_t) width * height > SPICE_MAX_IMAGE_SIZE) {
encoder->usr->error(encoder->usr, "image too large\n");
}
quic_image_params(encoder, type, &channels, &bpc);
if (!encoder_reset_channels(encoder, channels, width, bpc)) {