[Spice-commits] server/red-parse-qxl.c
Frediano Ziglio
fziglio at kemper.freedesktop.org
Mon Jun 6 07:59:59 UTC 2016
server/red-parse-qxl.c | 3 +++
1 file changed, 3 insertions(+)
New commits:
commit 18c99e008f2d036d03168e94493a8211f44a17af
Author: Frediano Ziglio <fziglio at redhat.com>
Date: Tue Sep 15 16:35:39 2015 +0100
avoid integer underflow under 32 bit architectures
The segment_size computation on 32 bit can lead to big numbers which
can lead to negative offset. Let'ss avoid to underrun the buffer,
as it's not checked.
Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
Acked-by: Fabiano FidĂȘncio <fidencio at redhat.com>
diff --git a/server/red-parse-qxl.c b/server/red-parse-qxl.c
index 7678c7e..721c861 100644
--- a/server/red-parse-qxl.c
+++ b/server/red-parse-qxl.c
@@ -276,6 +276,9 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id,
count = start->count;
segment_size = sizeof(SpicePathSeg) + (uint64_t) count * sizeof(SpicePointFix);
mem_size += sizeof(SpicePathSeg *) + SPICE_ALIGN(segment_size, 4);
+ /* avoid going backward with 32 bit architectures */
+ spice_assert((uint64_t) count * sizeof(QXLPointFix)
+ <= (char*) end - (char*) &start->points[0]);
start = (QXLPathSeg*)(&start->points[count]);
}
More information about the Spice-commits
mailing list