|
|
2be4b2 |
From 13dadd08709caa8e736cbbc886f5f8ba7bad7785 Mon Sep 17 00:00:00 2001
|
|
|
73b8f2 |
From: Frediano Ziglio <fziglio@redhat.com>
|
|
|
73b8f2 |
Date: Tue, 15 Sep 2015 16:25:17 +0100
|
|
|
2be4b2 |
Subject: [PATCH 61/64] Make sure we can read QXLPathSeg structures
|
|
|
73b8f2 |
|
|
|
73b8f2 |
start pointer points to a QXLPathSeg structure.
|
|
|
73b8f2 |
Before reading from the structure, make sure the structure is contained
|
|
|
73b8f2 |
in the memory range checked.
|
|
|
73b8f2 |
|
|
|
73b8f2 |
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
|
|
|
73b8f2 |
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
|
|
|
73b8f2 |
---
|
|
|
73b8f2 |
server/red_parse_qxl.c | 4 ++--
|
|
|
73b8f2 |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
73b8f2 |
|
|
|
73b8f2 |
diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c
|
|
|
73b8f2 |
index 668ce10..4663bfd 100644
|
|
|
73b8f2 |
--- a/server/red_parse_qxl.c
|
|
|
73b8f2 |
+++ b/server/red_parse_qxl.c
|
|
|
73b8f2 |
@@ -256,7 +256,7 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id,
|
|
|
73b8f2 |
|
|
|
73b8f2 |
start = (QXLPathSeg*)data;
|
|
|
73b8f2 |
end = (QXLPathSeg*)(data + size);
|
|
|
73b8f2 |
- while (start < end) {
|
|
|
73b8f2 |
+ while (start+1 < end) {
|
|
|
73b8f2 |
n_segments++;
|
|
|
73b8f2 |
count = start->count;
|
|
|
73b8f2 |
segment_size = sizeof(SpicePathSeg) + count * sizeof(SpicePointFix);
|
|
|
73b8f2 |
@@ -272,7 +272,7 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id,
|
|
|
73b8f2 |
seg = (SpicePathSeg*)&red->segments[n_segments];
|
|
|
73b8f2 |
n_segments = 0;
|
|
|
73b8f2 |
mem_size2 = sizeof(*red);
|
|
|
73b8f2 |
- while (start < end) {
|
|
|
73b8f2 |
+ while (start+1 < end) {
|
|
|
73b8f2 |
red->segments[n_segments++] = seg;
|
|
|
73b8f2 |
count = start->count;
|
|
|
73b8f2 |
|
|
|
73b8f2 |
--
|
|
|
73b8f2 |
2.4.3
|
|
|
73b8f2 |
|