|
|
73b8f2 |
From 18087073df84885642d9b0b1efd0e86e18409bbe Mon Sep 17 00:00:00 2001
|
|
|
73b8f2 |
From: Frediano Ziglio <fziglio@redhat.com>
|
|
|
73b8f2 |
Date: Tue, 8 Sep 2015 10:00:37 +0100
|
|
|
73b8f2 |
Subject: [PATCH 44/57] Fix buffer reading overflow
|
|
|
73b8f2 |
|
|
|
73b8f2 |
Not security risk as just for read.
|
|
|
73b8f2 |
However, this could be used to attempt integer overflows in the
|
|
|
73b8f2 |
following lines.
|
|
|
73b8f2 |
|
|
|
73b8f2 |
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
|
|
|
73b8f2 |
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
|
|
|
73b8f2 |
---
|
|
|
73b8f2 |
server/red_parse_qxl.c | 9 ++++++++-
|
|
|
73b8f2 |
1 file changed, 8 insertions(+), 1 deletion(-)
|
|
|
73b8f2 |
|
|
|
73b8f2 |
diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c
|
|
|
73b8f2 |
index a7ca71d..01cba0f 100644
|
|
|
73b8f2 |
--- a/server/red_parse_qxl.c
|
|
|
73b8f2 |
+++ b/server/red_parse_qxl.c
|
|
|
73b8f2 |
@@ -361,7 +361,14 @@ static const int MAP_BITMAP_FMT_TO_BITS_PER_PIXEL[] = {0, 1, 1, 4, 4, 8, 16, 24,
|
|
|
73b8f2 |
|
|
|
73b8f2 |
static int bitmap_consistent(SpiceBitmap *bitmap)
|
|
|
73b8f2 |
{
|
|
|
73b8f2 |
- int bpp = MAP_BITMAP_FMT_TO_BITS_PER_PIXEL[bitmap->format];
|
|
|
73b8f2 |
+ int bpp;
|
|
|
73b8f2 |
+
|
|
|
73b8f2 |
+ if (bitmap->format >= SPICE_N_ELEMENTS(MAP_BITMAP_FMT_TO_BITS_PER_PIXEL)) {
|
|
|
73b8f2 |
+ spice_warning("wrong format specified for image\n");
|
|
|
73b8f2 |
+ return FALSE;
|
|
|
73b8f2 |
+ }
|
|
|
73b8f2 |
+
|
|
|
73b8f2 |
+ bpp = MAP_BITMAP_FMT_TO_BITS_PER_PIXEL[bitmap->format];
|
|
|
73b8f2 |
|
|
|
73b8f2 |
if (bitmap->stride < ((bitmap->x * bpp + 7) / 8)) {
|
|
|
73b8f2 |
spice_error("image stride too small for width: %d < ((%d * %d + 7) / 8) (%s=%d)\n",
|
|
|
73b8f2 |
--
|
|
|
73b8f2 |
2.4.3
|
|
|
73b8f2 |
|