File 0001-lz-Avoid-buffer-reading-overflow-checking-... of Package spice

Overview Repositories Revisions Requests Users Attributes Meta

File 0001-lz-Avoid-buffer-reading-overflow-checking-for-image-.patch of Package spice (Revision c32a0c6aa4bde6d83c048c303c65ca8b)

Currently displaying revision c32a0c6aa4bde6d83c048c303c65ca8b , Show latest

From b94b3ca285d81180ed8fdf18f949761e40657b93 Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Fri, 22 Dec 2017 18:43:00 +0000
Subject: [PATCH spice-common 1/2] lz: Avoid buffer reading overflow checking
 for image type

The type of the image is just copied from network without
any check and later used for array indexing.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
---
 common/lz.c        | 3 +++
 common/lz_common.h | 7 ++++---
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/common/lz.c b/common/lz.c
index b7e7d48..e76105e 100644
--- a/common/lz.c
+++ b/common/lz.c
@@ -594,6 +594,9 @@ void lz_decode_begin(LzContext *lz, uint8_t *io_ptr, unsigned int num_io_bytes,
     }
 
     encoder->type = (LzImageType)decode_32(encoder);
+    if (encoder->type < 0 || encoder->type > LZ_IMAGE_TYPE_MAX) {
+        encoder->usr->error(encoder->usr, "invalid lz type\n");
+    }
     encoder->width = decode_32(encoder);
     encoder->height = decode_32(encoder);
     encoder->stride = decode_32(encoder);
diff --git a/common/lz_common.h b/common/lz_common.h
index 78df003..6526d16 100644
--- a/common/lz_common.h
+++ b/common/lz_common.h
@@ -51,6 +51,7 @@ typedef enum {
 
 #define LZ_IMAGE_TYPE_MASK 0x0f
 #define LZ_IMAGE_TYPE_LOG 4 // number of bits required for coding the image type
+#define LZ_IMAGE_TYPE_MAX LZ_IMAGE_TYPE_A8
 
 /* access to the arrays is based on the image types */
 static const int IS_IMAGE_TYPE_PLT[] = {0, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0};
@@ -58,10 +59,10 @@ static const int IS_IMAGE_TYPE_RGB[] = {0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1};
 static const int PLT_PIXELS_PER_BYTE[] = {0, 8, 8, 2, 2, 1};
 static const int RGB_BYTES_PER_PIXEL[] = {0, 1, 1, 1, 1, 1, 2, 3, 4, 4, 4, 1};
 
-verify(SPICE_N_ELEMENTS(IS_IMAGE_TYPE_PLT) == (LZ_IMAGE_TYPE_A8 + 1));
-verify(SPICE_N_ELEMENTS(IS_IMAGE_TYPE_RGB) == (LZ_IMAGE_TYPE_A8 + 1));
+verify(SPICE_N_ELEMENTS(IS_IMAGE_TYPE_PLT) == (LZ_IMAGE_TYPE_MAX + 1));
+verify(SPICE_N_ELEMENTS(IS_IMAGE_TYPE_RGB) == (LZ_IMAGE_TYPE_MAX + 1));
 verify(SPICE_N_ELEMENTS(PLT_PIXELS_PER_BYTE) == (LZ_IMAGE_TYPE_PLT8 + 1));
-verify(SPICE_N_ELEMENTS(RGB_BYTES_PER_PIXEL) == (LZ_IMAGE_TYPE_A8 + 1));
+verify(SPICE_N_ELEMENTS(RGB_BYTES_PER_PIXEL) == (LZ_IMAGE_TYPE_MAX + 1));
 
 /* ASCII "LZ  " */
 #define LZ_MAGIC 0x20205a4c
-- 
2.17.1

Places

File 0001-lz-Avoid-buffer-reading-overflow-checking-for-image-.patch of Package spice (Revision c32a0c6aa4bde6d83c048c303c65ca8b)

Places