rpms / spice

Clone
Source Code
GIT

Blame SOURCES/0005-websocket-Fix-possible-integer-overflow.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8s
  1.   71f8a68026e33053ae05b98d28fe43627000d108
  2.   SOURCES
  3.   0005-websocket-Fix-possible-integer-overflow.patch
Blob History Raw
b95fd1 
From b8f4d7d2c7a3d08a82f4bc7588cdff15cee54292 Mon Sep 17 00:00:00 2001
b95fd1 
From: Frediano Ziglio <freddy77@gmail.com>
b95fd1 
Date: Tue, 16 Jun 2020 11:49:19 +0100
b95fd1 
Subject: [PATCH] websocket: Fix possible integer overflow
b95fd1
b95fd1 
The shift of a uint_8 number by a number > 32 causes an overflow.
b95fd1
b95fd1 
Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
b95fd1 
Acked-by: Uri Lublin <ulublin@redhat.com>
b95fd1 
---
b95fd1 
 server/websocket.c | 5 +++--
b95fd1 
 1 file changed, 3 insertions(+), 2 deletions(-)
b95fd1
b95fd1 
diff --git a/server/websocket.c b/server/websocket.c
b95fd1 
index f5df63f8..82b20b49 100644
b95fd1 
--- a/server/websocket.c
b95fd1 
+++ b/server/websocket.c
b95fd1 
@@ -165,8 +165,9 @@ static uint64_t extract_length(const uint8_t *buf, int *used)
b95fd1 
     case LENGTH_64BIT:
b95fd1 
         *used += 8;
b95fd1 
         outlen = 0;
b95fd1 
-        for (i = 56; i >= 0; i -= 8) {
b95fd1 
-            outlen |= (*buf++) << i;
b95fd1 
+        for (i = 0; i < 8; ++i) {
b95fd1 
+            outlen <<= 8;
b95fd1 
+            outlen |= *buf++;
b95fd1 
         }
b95fd1 
         break;
b95fd1
b95fd1 
--
b95fd1 
2.26.2
b95fd1

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation