Blame SOURCES/0056-Prevent-data_size-to-be-set-independently-from-data.patch
|
 |
73b8f2 |
From c2cdd1daf8edceec8adbb456dca656efe3648eec Mon Sep 17 00:00:00 2001
|
|
|
73b8f2 |
From: Frediano Ziglio <fziglio@redhat.com>
|
|
|
73b8f2 |
Date: Thu, 17 Sep 2015 14:28:36 +0100
|
|
|
73b8f2 |
Subject: [PATCH 56/57] Prevent data_size to be set independently from data
|
|
|
73b8f2 |
|
|
|
73b8f2 |
There was not check for data_size field so one could set data to
|
|
|
73b8f2 |
a small set of data and data_size much bigger than size of data
|
|
|
73b8f2 |
leading to buffer overflow.
|
|
|
73b8f2 |
|
|
|
73b8f2 |
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
|
|
|
73b8f2 |
---
|
|
|
73b8f2 |
server/red_parse_qxl.c | 1 +
|
|
|
73b8f2 |
1 file changed, 1 insertion(+)
|
|
|
73b8f2 |
|
|
|
73b8f2 |
diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c
|
|
|
73b8f2 |
index c1df8e8..8e3dd55 100644
|
|
|
73b8f2 |
--- a/server/red_parse_qxl.c
|
|
|
73b8f2 |
+++ b/server/red_parse_qxl.c
|
|
|
73b8f2 |
@@ -1391,6 +1391,7 @@ static int red_get_cursor(RedMemSlotInfo *slots, int group_id,
|
|
|
73b8f2 |
size = red_get_data_chunks_ptr(slots, group_id,
|
|
|
73b8f2 |
get_memslot_id(slots, addr),
|
|
|
73b8f2 |
&chunks, &qxl->chunk);
|
|
|
73b8f2 |
+ red->data_size = MIN(red->data_size, size);
|
|
|
73b8f2 |
data = red_linearize_chunk(&chunks, size, &free_data);
|
|
|
73b8f2 |
red_put_data_chunks(&chunks);
|
|
|
73b8f2 |
if (free_data) {
|
|
|
73b8f2 |
--
|
|
|
73b8f2 |
2.4.3
|
|
|
73b8f2 |
|