rpms / spice

Clone
Source Code
GIT

Blame SOURCES/0003-quic-Check-RLE-lengths.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8s
  1.   c8
  2.   SOURCES
  3.   0003-quic-Check-RLE-lengths.patch
Blob History Raw
199a67 
From d45a4954d73b41a255b8b4ec57c01ae87ec2936e Mon Sep 17 00:00:00 2001
199a67 
From: Frediano Ziglio <freddy77@gmail.com>
199a67 
Date: Wed, 29 Apr 2020 15:11:38 +0100
199a67 
Subject: [PATCH spice-common 3/4] quic: Check RLE lengths
199a67
199a67 
Avoid buffer overflows decoding images. On compression we compute
199a67 
lengths till end of line so it won't cause regressions.
199a67 
Proved by fuzzing the code.
199a67
199a67 
Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
199a67 
Acked-by: Uri Lublin <uril@redhat.com>
199a67 
---
199a67 
 common/quic_tmpl.c | 6 +++++-
199a67 
 1 file changed, 5 insertions(+), 1 deletion(-)
199a67
199a67 
diff --git a/subprojects/spice-common/common/quic_tmpl.c b/subprojects/spice-common/common/quic_tmpl.c
199a67 
index f0a4927..11e09f5 100644
199a67 
--- a/subprojects/spice-common/common/quic_tmpl.c
199a67 
+++ b/subprojects/spice-common/common/quic_tmpl.c
199a67 
@@ -570,7 +570,11 @@ static void FNAME_DECL(uncompress_row_seg)(const PIXEL * const prev_row,
199a67 
 do_run:
199a67 
         state->waitcnt = stopidx - i;
199a67 
         run_index = i;
199a67 
-        run_end = i + decode_state_run(encoder, state);
199a67 
+        run_end = decode_state_run(encoder, state);
199a67 
+        if (run_end < 0 || run_end > (end - i)) {
199a67 
+            encoder->usr->error(encoder->usr, "wrong RLE\n");
199a67 
+        }
199a67 
+        run_end += i;
199a67
199a67 
         for (; i < run_end; i++) {
199a67 
             UNCOMPRESS_PIX_START(&cur_row[i]);
199a67 
--
199a67 
2.25.4
199a67

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation