Tree - rpms/spice - CentOS Git server

rpms / spice

Files

Commit: b6c02a27555f62203b2cd7f52fe22977ccd6a708

Blob Blame History Raw

From b8f4d7d2c7a3d08a82f4bc7588cdff15cee54292 Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <freddy77@gmail.com>
Date: Tue, 16 Jun 2020 11:49:19 +0100
Subject: [PATCH] websocket: Fix possible integer overflow

The shift of a uint_8 number by a number > 32 causes an overflow.

Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
Acked-by: Uri Lublin <ulublin@redhat.com>
---
 server/websocket.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/server/websocket.c b/server/websocket.c
index f5df63f8..82b20b49 100644
--- a/server/websocket.c
+++ b/server/websocket.c
@@ -165,8 +165,9 @@ static uint64_t extract_length(const uint8_t *buf, int *used)
     case LENGTH_64BIT:
         *used += 8;
         outlen = 0;
-        for (i = 56; i >= 0; i -= 8) {
-            outlen |= (*buf++) << i;
+        for (i = 0; i < 8; ++i) {
+            outlen <<= 8;
+            outlen |= *buf++;
         }
         break;
 
-- 
2.26.2

rpms / spice

Source Code

Files