From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Wed, 27 Jun 2018 10:55:05 +0100 Subject: [PATCH spice-common] canvas_base: Check for overflows decoding LZ4 Check that we have enough data before reading. This could lead to read buffer overflows being undetected. This is not a security issue, read happens only in the client not causing any information leakage, maximum can generate a crash or some garbage on the screen. Signed-off-by: Frediano Ziglio Acked-by: Jonathon Jongsma --- common/canvas_base.c | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/spice-common/common/canvas_base.c b/spice-common/common/canvas_base.c index 2fd60aa..3283e88 100644 --- a/spice-common/common/canvas_base.c +++ b/spice-common/common/canvas_base.c @@ -537,6 +537,10 @@ static pixman_image_t *canvas_get_lz4(CanvasBase *canvas, SpiceImage *image) width = image->descriptor.width; stride_encoded = width; height = image->descriptor.height; + if (data + 2 > data_end) { + g_warning("missing header in LZ4 data"); + return NULL; + } top_down = *(data++); spice_format = *(data++); switch (spice_format) { @@ -579,16 +583,22 @@ static pixman_image_t *canvas_get_lz4(CanvasBase *canvas, SpiceImage *image) bits = dest; do { + if (data + 4 > data_end) { + goto format_error; + } // Read next compressed block enc_size = ntohl(*SPICE_UNALIGNED_CAST(uint32_t *, data)); data += 4; + /* check overflow. This check is a bit different to avoid + * possible overflows. From previous check data_end - data cannot overflow. + * Computing data + enc_size on 32 bit could cause overflows. */ + if (enc_size < 0 || data_end - data < (unsigned int) enc_size) { + goto format_error; + } dec_size = LZ4_decompress_safe_continue(stream, (const char *) data, (char *) dest, enc_size, available); if (dec_size <= 0) { - spice_warning("Error decoding LZ4 block\n"); - pixman_image_unref(surface); - surface = NULL; - break; + goto format_error; } dest += dec_size; available -= dec_size; @@ -599,6 +609,12 @@ static pixman_image_t *canvas_get_lz4(CanvasBase *canvas, SpiceImage *image) LZ4_freeStreamDecode(stream); return surface; + +format_error: + spice_warning("Error decoding LZ4 block\n"); + LZ4_freeStreamDecode(stream); + pixman_image_unref(surface); + return NULL; } #endif