Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
spice.1097
0006-Fix-buffer-reading-overflow.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0006-Fix-buffer-reading-overflow.patch of Package spice.1097
From 68a742aaa8d692940ac15d021799b702412887e5 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio <fziglio@redhat.com> Date: Tue, 8 Sep 2015 10:00:37 +0100 Subject: [PATCH 06/19] Fix buffer reading overflow Not security risk as just for read. However, this could be used to attempt integer overflows in the following lines. Signed-off-by: Frediano Ziglio <fziglio@redhat.com> Acked-by: Christophe Fergeau <cfergeau@redhat.com> --- server/red_parse_qxl.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) Index: spice-0.12.4/server/red_parse_qxl.c =================================================================== --- spice-0.12.4.orig/server/red_parse_qxl.c +++ spice-0.12.4/server/red_parse_qxl.c @@ -361,7 +361,14 @@ static const int MAP_BITMAP_FMT_TO_BITS_ static int bitmap_consistent(SpiceBitmap *bitmap) { - int bpp = MAP_BITMAP_FMT_TO_BITS_PER_PIXEL[bitmap->format]; + int bpp; + + if (bitmap->format >= SPICE_N_ELEMENTS(MAP_BITMAP_FMT_TO_BITS_PER_PIXEL)) { + spice_warning("wrong format specified for image\n"); + return FALSE; + } + + bpp = MAP_BITMAP_FMT_TO_BITS_PER_PIXEL[bitmap->format]; if (bitmap->stride < ((bitmap->x * bpp + 7) / 8)) { spice_error("image stride too small for width: %d < ((%d * %d + 7) / 8) (%s=%d)\n",
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor