|
 |
b95fd1 |
From d45a4954d73b41a255b8b4ec57c01ae87ec2936e Mon Sep 17 00:00:00 2001
|
|
|
b95fd1 |
From: Frediano Ziglio <freddy77@gmail.com>
|
|
|
b95fd1 |
Date: Wed, 29 Apr 2020 15:11:38 +0100
|
|
|
b95fd1 |
Subject: [PATCH spice-common 3/4] quic: Check RLE lengths
|
|
|
b95fd1 |
|
|
|
b95fd1 |
Avoid buffer overflows decoding images. On compression we compute
|
|
|
b95fd1 |
lengths till end of line so it won't cause regressions.
|
|
|
b95fd1 |
Proved by fuzzing the code.
|
|
|
b95fd1 |
|
|
|
b95fd1 |
Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
|
|
|
b95fd1 |
Acked-by: Uri Lublin <uril@redhat.com>
|
|
|
b95fd1 |
---
|
|
|
b95fd1 |
common/quic_tmpl.c | 6 +++++-
|
|
|
b95fd1 |
1 file changed, 5 insertions(+), 1 deletion(-)
|
|
|
b95fd1 |
|
|
|
b95fd1 |
diff --git a/subprojects/spice-common/common/quic_tmpl.c b/subprojects/spice-common/common/quic_tmpl.c
|
|
|
b95fd1 |
index f0a4927..11e09f5 100644
|
|
|
b95fd1 |
--- a/subprojects/spice-common/common/quic_tmpl.c
|
|
|
b95fd1 |
+++ b/subprojects/spice-common/common/quic_tmpl.c
|
|
|
b95fd1 |
@@ -570,7 +570,11 @@ static void FNAME_DECL(uncompress_row_seg)(const PIXEL * const prev_row,
|
|
|
b95fd1 |
do_run:
|
|
|
b95fd1 |
state->waitcnt = stopidx - i;
|
|
|
b95fd1 |
run_index = i;
|
|
|
b95fd1 |
- run_end = i + decode_state_run(encoder, state);
|
|
|
b95fd1 |
+ run_end = decode_state_run(encoder, state);
|
|
|
b95fd1 |
+ if (run_end < 0 || run_end > (end - i)) {
|
|
|
b95fd1 |
+ encoder->usr->error(encoder->usr, "wrong RLE\n");
|
|
|
b95fd1 |
+ }
|
|
|
b95fd1 |
+ run_end += i;
|
|
|
b95fd1 |
|
|
|
b95fd1 |
for (; i < run_end; i++) {
|
|
|
b95fd1 |
UNCOMPRESS_PIX_START(&cur_row[i]);
|
|
|
b95fd1 |
--
|
|
|
b95fd1 |
2.25.4
|
|
|
b95fd1 |
|