Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
spice.5102
0018-Prevent-data_size-to-be-set-independently-...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0018-Prevent-data_size-to-be-set-independently-from-data.patch of Package spice.5102
From b3be589ab3b32af3e470a9dec19a61fb086f72fc Mon Sep 17 00:00:00 2001 From: Frediano Ziglio <fziglio@redhat.com> Date: Thu, 17 Sep 2015 14:28:36 +0100 Subject: [PATCH 18/19] Prevent data_size to be set independently from data There was not check for data_size field so one could set data to a small set of data and data_size much bigger than size of data leading to buffer overflow. Signed-off-by: Frediano Ziglio <fziglio@redhat.com> --- server/red_parse_qxl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c index c7f8650..3ce4431 100644 --- a/server/red_parse_qxl.c +++ b/server/red_parse_qxl.c @@ -1388,6 +1388,7 @@ static int red_get_cursor(RedMemSlotInfo *slots, int group_id, size = red_get_data_chunks_ptr(slots, group_id, get_memslot_id(slots, addr), &chunks, &qxl->chunk); + red->data_size = MIN(red->data_size, size); data = red_linearize_chunk(&chunks, size, &free_data); red_put_data_chunks(&chunks); if (free_data) { -- 2.1.4
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor