From d45a4954d73b41a255b8b4ec57c01ae87ec2936e Mon Sep 17 00:00:00 2001

From: Frediano Ziglio <freddy77@gmail.com>

Date: Wed, 29 Apr 2020 15:11:38 +0100

Subject: [PATCH spice-common 3/4] quic: Check RLE lengths

Avoid buffer overflows decoding images. On compression we compute

lengths till end of line so it won't cause regressions.

Proved by fuzzing the code.

Signed-off-by: Frediano Ziglio <freddy77@gmail.com>

Acked-by: Uri Lublin <uril@redhat.com>

---

 common/quic_tmpl.c | 6 +++++-

 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/spice-common/common/quic_rgb_tmpl.c b/spice-common/common/quic_rgb_tmpl.c

index 4800ece..7fdfedf 100644

--- a/spice-common/common/quic_rgb_tmpl.c

+++ b/spice-common/common/quic_rgb_tmpl.c

@@ -599,7 +599,11 @@ static void FNAME(uncompress_row_seg)(Encoder *encoder,

 do_run:

         state->waitcnt = stopidx - i;

         run_index = i;

-        run_end = i + decode_run(encoder);

+        run_end = decode_run(encoder);

+        if (run_end < 0 || run_end > (end - i)) {

+            encoder->usr->error(encoder->usr, "wrong RLE\n");

+        }

+        run_end += i;

         for (; i < run_end; i++) {

             UNCOMPRESS_PIX_START(&cur_row[i]);

diff --git a/spice-common/common/quic_tmpl.c b/spice-common/common/quic_tmpl.c

index dc2f81b..7f6db92 100644

--- a/spice-common/common/quic_tmpl.c

+++ b/spice-common/common/quic_tmpl.c

@@ -486,7 +486,11 @@ static void FNAME(uncompress_row_seg)(Encoder *encoder, Channel *channel,

 do_run:

         state->waitcnt = stopidx - i;

         run_index = i;

-        run_end = i + decode_channel_run(encoder, channel);

+        run_end = decode_channel_run(encoder, channel);

+        if (run_end < 0 || run_end > (end - i)) {

+            encoder->usr->error(encoder->usr, "wrong RLE\n");

+        }

+        run_end += i;

         for (; i < run_end; i++) {

             UNCOMPRESS_PIX_START(&cur_row[i]);

-- 

2.25.4