pxcloud/spice-common
5
0
Fork 0
mirror of https://gitlab.uni-freiburg.de/opensourcevdi/spice-common synced 2026-01-07 19:58:02 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix invalid vdagent buffer access

Browse Source 
The caller use the "size" argument in different ways. Either the size of
the data to convert, or the end boundary to be deduced by offset.

Fix it so the the "size" argument means the amount in bytes of data to
convert, that seems simpler and saner. (yay C)

Fixes: spice#53

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
This commit is contained in:
Marc-André Lureau 2021-04-13 21:27:00 +04:00
parent 68188b0c21
commit 91362d045a
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
common/agent.c
View File

@ -132,8 +132,8 @@ static void uint16_from_le(uint8_t *_msg, uint32_t size, uint32_t offset)
uint32_t i;
uint16_unaligned_t *msg = (uint16_unaligned_t *)(_msg + offset);
/* offset - size % 2 should be 0 - extra bytes are ignored */
for (i = 0; i < (size - offset) / 2; i++) {
/* size % 2 should be 0 - extra bytes are ignored */
for (i = 0; i < size / 2; i++) {
FIX_ENDIAN16(msg[i].v);
}
}
@ -143,8 +143,8 @@ static void uint32_from_le(uint8_t *_msg, uint32_t size, uint32_t offset)
uint32_t i;
uint32_unaligned_t *msg = (uint32_unaligned_t *)(_msg + offset);
/* offset - size % 4 should be 0 - extra bytes are ignored */
for (i = 0; i < (size - offset) / 4; i++) {
/* size % 4 should be 0 - extra bytes are ignored */
for (i = 0; i < size / 4; i++) {
FIX_ENDIAN32(msg[i].v);
}
}
@ -168,7 +168,7 @@ agent_message_clipboard_from_le(const VDAgentMessage *message_header, uint8_t *d
FIX_ENDIAN32(data_type->v);
break;
case VD_AGENT_CLIPBOARD_GRAB:
uint32_from_le(data, message_header->size, min_size);
uint32_from_le(data, message_header->size - min_size, min_size);
break;
case VD_AGENT_CLIPBOARD_RELEASE:
// empty
@ -318,7 +318,7 @@ agent_check_message(const VDAgentMessage *message_header, uint8_t *message,
if (vdata->nchannels > max_channels) {
return AGENT_CHECK_TRUNCATED;
}
uint16_from_le(message, message_header->size, sizeof(*vdata));
uint16_from_le(message, message_header->size - sizeof(*vdata), sizeof(*vdata));
break;
}
default: