pxcloud/spice
5
0
Fork 0
mirror of https://gitlab.uni-freiburg.de/opensourcevdi/spice synced 2025-12-27 07:29:32 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Prevent 32 bit integer overflow in bitmap_consistent

Browse Source 
The overflow may lead to buffer overflow as the row size computed from
width (bitmap->x) can be bigger than the size in bytes (bitmap->stride).
This can make spice-server accept the invalid sizes.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
This commit is contained in:
Frediano Ziglio 2015-09-08 13:09:35 +01:00
parent 68a742aaa8
commit 0f58e9da56
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
server/red_parse_qxl.c
View File

@ -357,11 +357,12 @@ static const char *bitmap_format_to_string(int format)
return "unknown";
}
static const int MAP_BITMAP_FMT_TO_BITS_PER_PIXEL[] = {0, 1, 1, 4, 4, 8, 16, 24, 32, 32, 8};
static const unsigned int MAP_BITMAP_FMT_TO_BITS_PER_PIXEL[] =
{0, 1, 1, 4, 4, 8, 16, 24, 32, 32, 8};
static int bitmap_consistent(SpiceBitmap *bitmap)
{
int bpp;
unsigned int bpp;
if (bitmap->format >= SPICE_N_ELEMENTS(MAP_BITMAP_FMT_TO_BITS_PER_PIXEL)) {
spice_warning("wrong format specified for image\n");
@ -370,7 +371,7 @@ static int bitmap_consistent(SpiceBitmap *bitmap)
bpp = MAP_BITMAP_FMT_TO_BITS_PER_PIXEL[bitmap->format];
if (bitmap->stride < ((bitmap->x * bpp + 7) / 8)) {
if (bitmap->stride < (((uint64_t) bitmap->x * bpp + 7u) / 8u)) {
spice_warning("image stride too small for width: %d < ((%d * %d + 7) / 8) (%s=%d)\n",
bitmap->stride, bitmap->x, bpp,
bitmap_format_to_string(bitmap->format),