pxcloud/spice
5
0
Fork 0
mirror of https://gitlab.uni-freiburg.de/opensourcevdi/spice synced 2025-12-28 16:29:56 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

prevent integer overflow in red_get_clip_rects

Browse Source 
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
This commit is contained in:
Frediano Ziglio 2015-09-08 13:07:00 +01:00
parent d25d6ca0f2
commit 2571cec5eb
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
server/red-parse-qxl.c
View File

@ -332,7 +332,12 @@ static SpiceClipRects *red_get_clip_rects(RedMemSlotInfo *slots, int group_id,
red_put_data_chunks(&chunks);
num_rects = qxl->num_rects;
spice_assert(num_rects * sizeof(QXLRect) == size);
/* The cast is needed to prevent 32 bit integer overflows.
* This check is enough as size is limited to 31 bit
* by red_get_data_chunks_ptr checks.
*/
spice_assert((uint64_t) num_rects * sizeof(QXLRect) == size);
G_STATIC_ASSERT(sizeof(SpiceRect) == sizeof(QXLRect));
red = spice_malloc(sizeof(*red) + num_rects * sizeof(SpiceRect));
red->num_rects = num_rects;