pxcloud/spice
5
0
Fork 0
mirror of https://gitlab.uni-freiburg.de/opensourcevdi/spice synced 2025-12-28 16:29:56 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

worker: Fix potential sprintf overflow

Browse Source 
If worker->qxl->id is bigger than 0x7ffffff (in other words, it's a
negative signed int) then
printf(worker_str, "display[%d]", worker->qxl->id);
will need:

"display[]" -> 9 bytes
%d -> 11 bytes

The trailing \0 will thus overflow our 20 bytes destination.
As QXLInstance::id should be an unsigned int, this commit changes the
format string to use %u. This also switches to snprintf.

Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
Acked-by: Frediano Ziglio <fziglio@redhat.com>
This commit is contained in:
Christophe Fergeau 2019-03-20 15:56:07 +00:00 committed by Frediano Ziglio
parent bcf55b978f
commit 4f8db6fac3
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
server/red-worker.c
View File

@ -1291,7 +1291,7 @@ RedWorker* red_worker_new(QXLInstance *qxl,
worker->zlib_glz_state = reds_get_zlib_glz_state(reds);
worker->driver_cap_monitors_config = 0;
char worker_str[SPICE_STAT_NODE_NAME_MAX];
sprintf(worker_str, "display[%d]", worker->qxl->id);
snprintf(worker_str, sizeof(worker_str), "display[%d]", worker->qxl->id & 0xff);
stat_init_node(&worker->stat, reds, NULL, worker_str, TRUE);
stat_init_counter(&worker->wakeup_counter, reds, &worker->stat, "wakeups", TRUE);
stat_init_counter(&worker->command_counter, reds, &worker->stat, "commands", TRUE);