[Spice-commits] server/red-parse-qxl.c
Frediano Ziglio
fziglio at kemper.freedesktop.org
Fri Jan 8 08:35:08 PST 2016
server/red-parse-qxl.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
New commits:
commit 2571cec5ebf2a7731fb62354f3bbc4c2c43699a5
Author: Frediano Ziglio <fziglio at redhat.com>
Date: Tue Sep 8 13:07:00 2015 +0100
prevent integer overflow in red_get_clip_rects
Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
Acked-by: Christophe Fergeau <cfergeau at redhat.com>
diff --git a/server/red-parse-qxl.c b/server/red-parse-qxl.c
index 5a14b45..f5bdce3 100644
--- a/server/red-parse-qxl.c
+++ b/server/red-parse-qxl.c
@@ -332,7 +332,12 @@ static SpiceClipRects *red_get_clip_rects(RedMemSlotInfo *slots, int group_id,
red_put_data_chunks(&chunks);
num_rects = qxl->num_rects;
- spice_assert(num_rects * sizeof(QXLRect) == size);
+ /* The cast is needed to prevent 32 bit integer overflows.
+ * This check is enough as size is limited to 31 bit
+ * by red_get_data_chunks_ptr checks.
+ */
+ spice_assert((uint64_t) num_rects * sizeof(QXLRect) == size);
+ G_STATIC_ASSERT(sizeof(SpiceRect) == sizeof(QXLRect));
red = spice_malloc(sizeof(*red) + num_rects * sizeof(SpiceRect));
red->num_rects = num_rects;
More information about the Spice-commits
mailing list