Blame SOURCES/0012-quic-Check-RLE-lengths.patch

f3d787
From d45a4954d73b41a255b8b4ec57c01ae87ec2936e Mon Sep 17 00:00:00 2001
f3d787
From: Frediano Ziglio <freddy77@gmail.com>
f3d787
Date: Wed, 29 Apr 2020 15:11:38 +0100
f3d787
Subject: [PATCH spice-common 3/4] quic: Check RLE lengths
f3d787
f3d787
Avoid buffer overflows decoding images. On compression we compute
f3d787
lengths till end of line so it won't cause regressions.
f3d787
Proved by fuzzing the code.
f3d787
f3d787
Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
f3d787
Acked-by: Uri Lublin <uril@redhat.com>
f3d787
---
f3d787
 common/quic_tmpl.c | 6 +++++-
f3d787
 1 file changed, 5 insertions(+), 1 deletion(-)
f3d787
f3d787
diff --git a/subprojects/spice-common/common/quic_tmpl.c b/subprojects/spice-common/common/quic_tmpl.c
f3d787
index f0a4927..11e09f5 100644
f3d787
--- a/subprojects/spice-common/common/quic_tmpl.c
f3d787
+++ b/subprojects/spice-common/common/quic_tmpl.c
f3d787
@@ -570,7 +570,11 @@ static void FNAME_DECL(uncompress_row_seg)(const PIXEL * const prev_row,
f3d787
 do_run:
f3d787
         state->waitcnt = stopidx - i;
f3d787
         run_index = i;
f3d787
-        run_end = i + decode_state_run(encoder, state);
f3d787
+        run_end = decode_state_run(encoder, state);
f3d787
+        if (run_end < 0 || run_end > (end - i)) {
f3d787
+            encoder->usr->error(encoder->usr, "wrong RLE\n");
f3d787
+        }
f3d787
+        run_end += i;
f3d787
 
f3d787
         for (; i < run_end; i++) {
f3d787
             UNCOMPRESS_PIX_START(&cur_row[i]);
f3d787
-- 
f3d787
2.25.4
f3d787