From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Fri, 22 Dec 2017 18:43:00 +0000
Subject: [PATCH spice-common 1/2] lz: Avoid buffer reading overflow checking
 for image type

The type of the image is just copied from network without
any check and later used for array indexing.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Uri Lublin <uril@redhat.com>
---
 common/lz.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/spice-common/common/lz.c b/spice-common/common/lz.c
index 87c13db..2c5d5e2 100644
--- a/spice-common/common/lz.c
+++ b/spice-common/common/lz.c
@@ -593,6 +593,9 @@ void lz_decode_begin(LzContext *lz, uint8_t *io_ptr, unsigned int num_io_bytes,
     }
 
     encoder->type = (LzImageType)decode_32(encoder);
+    if (encoder->type <= LZ_IMAGE_TYPE_INVALID || encoder->type > LZ_IMAGE_TYPE_A8) {
+        encoder->usr->error(encoder->usr, "invalid lz type %d\n", encoder->type);
+    }
     encoder->width = decode_32(encoder);
     encoder->height = decode_32(encoder);
     encoder->stride = decode_32(encoder);