Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:GA
spice.1097
0004-Fix-some-integer-overflow-causing-large-me...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0004-Fix-some-integer-overflow-causing-large-memory-alloc.patch of Package spice.1097
From ac5f64a80ae637742ed95fd6c98f66281b3e15c6 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio <fziglio@redhat.com> Date: Thu, 17 Sep 2015 15:00:22 +0100 Subject: [PATCH 04/19] Fix some integer overflow causing large memory allocations Prevent integer overflow when computing image sizes. Image index computations are done using 32 bit so this can cause easily security issues. MAX_DATA_CHUNK is larger than the virtual card limit, so this is not going to cause change in behaviours. Comparing size calculation results with MAX_DATA_CHUNK will allow us to catch overflows. Prevent guest from allocating large amount of memory. Signed-off-by: Frediano Ziglio <fziglio@redhat.com> --- server/red_parse_qxl.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) Index: spice-0.12.4/server/red_parse_qxl.c =================================================================== --- spice-0.12.4.orig/server/red_parse_qxl.c +++ spice-0.12.4/server/red_parse_qxl.c @@ -384,7 +384,7 @@ static SpiceImage *red_get_image(RedMemS QXLImage *qxl; SpiceImage *red = NULL; SpicePalette *rp = NULL; - size_t bitmap_size, size; + uint64_t bitmap_size, size; uint8_t qxl_flags; int error; @@ -460,7 +460,10 @@ static SpiceImage *red_get_image(RedMemS red->u.bitmap.palette = rp; red->u.bitmap.palette_id = rp->unique; } - bitmap_size = red->u.bitmap.y * abs(red->u.bitmap.stride); + bitmap_size = (uint64_t) red->u.bitmap.y * abs(red->u.bitmap.stride); + if (bitmap_size > MAX_DATA_CHUNK) { + goto error; + } if (qxl_flags & QXL_BITMAP_DIRECT) { red->u.bitmap.data = red_get_image_data_flat(slots, group_id, qxl->bitmap.data, @@ -1220,7 +1223,7 @@ int red_get_surface_cmd(RedMemSlotInfo * RedSurfaceCmd *red, QXLPHYSICAL addr) { QXLSurfaceCmd *qxl; - size_t size; + uint64_t size; int error; qxl = (QXLSurfaceCmd *)get_virt(slots, addr, sizeof(*qxl), group_id, @@ -1240,7 +1243,11 @@ int red_get_surface_cmd(RedMemSlotInfo * red->u.surface_create.width = qxl->u.surface_create.width; red->u.surface_create.height = qxl->u.surface_create.height; red->u.surface_create.stride = qxl->u.surface_create.stride; - size = red->u.surface_create.height * abs(red->u.surface_create.stride); + /* the multiplication can overflow, also abs(-2^31) may return a negative value */ + size = (uint64_t) red->u.surface_create.height * abs(red->u.surface_create.stride); + if (size > MAX_DATA_CHUNK || red->u.surface_create.stride == G_MININT32) { + return 1; + } red->u.surface_create.data = (uint8_t*)get_virt(slots, qxl->u.surface_create.data, size, group_id, &error); if (error) {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
