pxcloud/spice
5
0
Fork 0
mirror of https://gitlab.uni-freiburg.de/opensourcevdi/spice synced 2025-12-28 16:29:56 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix some possible overflows in red_get_string for 32 bit

Browse Source 
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
This commit is contained in:
Frediano Ziglio 2015-09-08 13:06:03 +01:00
parent 7d69184037
commit a447c4f2ac
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
server/red_parse_qxl.c
View File

@ -892,6 +892,11 @@ static SpiceString *red_get_string(RedMemSlotInfo *slots, int group_id,
glyphs++;
glyph_size = start->height * ((start->width * bpp + 7u) / 8u);
red_size += sizeof(SpiceRasterGlyph *) + SPICE_ALIGN(sizeof(SpiceRasterGlyph) + glyph_size, 4);
/* do the test correctly, we know end - start->data[0] cannot
* overflow, don't use start->data[glyph_size] to test for
* buffer overflow as this on 32 bit can cause overflow
* on the pointer arithmetic */
spice_assert(glyph_size <= (char*) end - (char*) &start->data[0]);
start = (QXLRasterGlyph*)(&start->data[glyph_size]);
}
spice_assert(start <= end);
@ -912,7 +917,8 @@ static SpiceString *red_get_string(RedMemSlotInfo *slots, int group_id,
red_get_point_ptr(&glyph->render_pos, &start->render_pos);
red_get_point_ptr(&glyph->glyph_origin, &start->glyph_origin);
glyph_size = glyph->height * ((glyph->width * bpp + 7u) / 8u);
spice_assert((QXLRasterGlyph*)(&start->data[glyph_size]) <= end);
/* see above for similar test */
spice_assert(glyph_size <= (char*) end - (char*) &start->data[0]);
memcpy(glyph->data, start->data, glyph_size);
start = (QXLRasterGlyph*)(&start->data[glyph_size]);
glyph = (SpiceRasterGlyph*)