File 0006-Fix-buffer-reading-overflow.patch of Package spice

Overview Repositories Revisions Requests Users Attributes Meta

File 0006-Fix-buffer-reading-overflow.patch of Package spice

From 68a742aaa8d692940ac15d021799b702412887e5 Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Tue, 8 Sep 2015 10:00:37 +0100
Subject: [PATCH 06/19] Fix buffer reading overflow

Not security risk as just for read.
However, this could be used to attempt integer overflows in the
following lines.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
---
 server/red_parse_qxl.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

Index: spice-0.12.4/server/red_parse_qxl.c
===================================================================
--- spice-0.12.4.orig/server/red_parse_qxl.c
+++ spice-0.12.4/server/red_parse_qxl.c
@@ -361,7 +361,14 @@ static const int MAP_BITMAP_FMT_TO_BITS_
 
 static int bitmap_consistent(SpiceBitmap *bitmap)
 {
-    int bpp = MAP_BITMAP_FMT_TO_BITS_PER_PIXEL[bitmap->format];
+    int bpp;
+
+    if (bitmap->format >= SPICE_N_ELEMENTS(MAP_BITMAP_FMT_TO_BITS_PER_PIXEL)) {
+        spice_warning("wrong format specified for image\n");
+        return FALSE;
+    }
+
+    bpp = MAP_BITMAP_FMT_TO_BITS_PER_PIXEL[bitmap->format];
 
     if (bitmap->stride < ((bitmap->x * bpp + 7) / 8)) {
         spice_error("image stride too small for width: %d < ((%d * %d + 7) / 8) (%s=%d)\n",

Places

File 0006-Fix-buffer-reading-overflow.patch of Package spice

Places