[Spice-commits] 2 commits - common/canvas_base.c
GitLab Mirror
gitlab-mirror at kemper.freedesktop.org
Thu Jul 12 04:48:51 UTC 2018
common/canvas_base.c | 46 +++++++++++++++++++++++++++++++---------------
1 file changed, 31 insertions(+), 15 deletions(-)
New commits:
commit 82c2e2315ccd864840fba3dea2dda4c683c56a11
Author: Frediano Ziglio <fziglio at redhat.com>
Date: Tue Jul 10 14:33:35 2018 +0100
canvas_base: Change spice_warning to g_warning
The 2 APIs are equivalent.
Some minor coherence changes:
- remove line terminator, already added;
- start message with lower case;
- LZ4, not Lz4.
Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
Acked-by: Jonathon Jongsma <jjongsma at redhat.com>
diff --git a/common/canvas_base.c b/common/canvas_base.c
index 3283e88..9ffca3e 100644
--- a/common/canvas_base.c
+++ b/common/canvas_base.c
@@ -377,7 +377,7 @@ static pixman_image_t *canvas_get_quic(CanvasBase *canvas, SpiceImage *image,
if (surface != NULL) {
pixman_image_unref(surface);
}
- spice_warning("%s", quic_data->message_buf);
+ g_warning("%s", quic_data->message_buf);
return NULL;
}
@@ -388,7 +388,7 @@ static pixman_image_t *canvas_get_quic(CanvasBase *canvas, SpiceImage *image,
SPICE_UNALIGNED_CAST(uint32_t *,image->u.quic.data->chunk[0].data),
image->u.quic.data->chunk[0].len >> 2,
&type, &width, &height) == QUIC_ERROR) {
- spice_warning("quic decode begin failed");
+ g_warning("quic decode begin failed");
return NULL;
}
@@ -433,7 +433,7 @@ static pixman_image_t *canvas_get_quic(CanvasBase *canvas, SpiceImage *image,
if (quic_decode(quic_data->quic, as_type,
dest, stride) == QUIC_ERROR) {
pixman_image_unref(surface);
- spice_warning("quic decode failed");
+ g_warning("quic decode failed");
return NULL;
}
@@ -488,7 +488,7 @@ static pixman_image_t *canvas_get_jpeg(CanvasBase *canvas, SpiceImage *image)
surface = surface_create(PIXMAN_LE_x8r8g8b8,
width, height, FALSE);
if (surface == NULL) {
- spice_warning("create surface failed");
+ g_warning("create surface failed");
return NULL;
}
@@ -561,14 +561,14 @@ static pixman_image_t *canvas_get_lz4(CanvasBase *canvas, SpiceImage *image)
stride_encoded *= 4;
break;
default:
- spice_warning("Unsupported bitmap format %d with LZ4\n", spice_format);
+ g_warning("unsupported bitmap format %d with LZ4", spice_format);
return NULL;
}
surface = surface_create(format,
width, height, top_down);
if (surface == NULL) {
- spice_warning("create surface failed");
+ g_warning("create surface failed");
return NULL;
}
@@ -611,7 +611,7 @@ static pixman_image_t *canvas_get_lz4(CanvasBase *canvas, SpiceImage *image)
return surface;
format_error:
- spice_warning("Error decoding LZ4 block\n");
+ g_warning("error decoding LZ4 block");
LZ4_freeStreamDecode(stream);
pixman_image_unref(surface);
return NULL;
@@ -649,7 +649,7 @@ static pixman_image_t *canvas_get_jpeg_alpha(CanvasBase *canvas, SpiceImage *ima
width, height, width*height, alpha_top_down);
if (surface == NULL) {
- spice_warning("create surface failed");
+ g_warning("create surface failed");
return NULL;
}
@@ -702,7 +702,7 @@ static pixman_image_t *canvas_bitmap_to_surface(CanvasBase *canvas, SpiceBitmap*
image = surface_create(format,
bitmap->x, bitmap->y, FALSE);
if (image == NULL) {
- spice_warning("create surface failed");
+ g_warning("create surface failed");
return NULL;
}
@@ -791,7 +791,7 @@ static pixman_image_t *canvas_get_lz(CanvasBase *canvas, SpiceImage *image,
free(palette);
}
free(decomp_buf);
- spice_warning("%s", lz_data->message_buf);
+ g_warning("%s", lz_data->message_buf);
return NULL;
}
@@ -1127,7 +1127,7 @@ static pixman_image_t *get_surface_from_canvas(CanvasBase *canvas,
#ifdef USE_LZ4
return canvas_get_lz4(canvas, image);
#else
- spice_warning("Lz4 compression algorithm not supported.\n");
+ g_warning("LZ4 compression algorithm not supported");
return NULL;
#endif
@@ -1221,7 +1221,7 @@ static pixman_image_t *canvas_get_image_internal(CanvasBase *canvas, SpiceImage
#ifdef SW_CANVAS_CACHE
} else if (descriptor->flags & SPICE_IMAGE_FLAGS_CACHE_REPLACE_ME) {
if (spice_image_descriptor_is_lossy(descriptor)) {
- spice_warning("invalid cache replace request: the image is lossy");
+ g_warning("invalid cache replace request: the image is lossy");
return NULL;
}
canvas->bits_cache->ops->replace_lossy(canvas->bits_cache, descriptor->id, surface);
commit e8314732a7b0b7d289f5befd0b0e4d81dfb500dc
Author: Frediano Ziglio <fziglio at redhat.com>
Date: Wed Jun 27 10:55:05 2018 +0100
canvas_base: Check for overflows decoding LZ4
Check that we have enough data before reading.
This could lead to read buffer overflows being undetected.
This is not a security issue, read happens only in the client not causing
any information leakage, maximum can generate a crash or some garbage on
the screen.
Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
Acked-by: Jonathon Jongsma <jjongsma at redhat.com>
diff --git a/common/canvas_base.c b/common/canvas_base.c
index 2fd60aa..3283e88 100644
--- a/common/canvas_base.c
+++ b/common/canvas_base.c
@@ -537,6 +537,10 @@ static pixman_image_t *canvas_get_lz4(CanvasBase *canvas, SpiceImage *image)
width = image->descriptor.width;
stride_encoded = width;
height = image->descriptor.height;
+ if (data + 2 > data_end) {
+ g_warning("missing header in LZ4 data");
+ return NULL;
+ }
top_down = !!*(data++);
spice_format = *(data++);
switch (spice_format) {
@@ -579,16 +583,22 @@ static pixman_image_t *canvas_get_lz4(CanvasBase *canvas, SpiceImage *image)
bits = dest;
do {
+ if (data + 4 > data_end) {
+ goto format_error;
+ }
// Read next compressed block
enc_size = read_uint32_be(data);
data += 4;
+ /* check overflow. This check is a bit different to avoid
+ * possible overflows. From previous check data_end - data cannot overflow.
+ * Computing data + enc_size on 32 bit could cause overflows. */
+ if (enc_size < 0 || data_end - data < (unsigned int) enc_size) {
+ goto format_error;
+ }
dec_size = LZ4_decompress_safe_continue(stream, (const char *) data,
(char *) dest, enc_size, available);
if (dec_size <= 0) {
- spice_warning("Error decoding LZ4 block\n");
- pixman_image_unref(surface);
- surface = NULL;
- break;
+ goto format_error;
}
dest += dec_size;
available -= dec_size;
@@ -599,6 +609,12 @@ static pixman_image_t *canvas_get_lz4(CanvasBase *canvas, SpiceImage *image)
LZ4_freeStreamDecode(stream);
return surface;
+
+format_error:
+ spice_warning("Error decoding LZ4 block\n");
+ LZ4_freeStreamDecode(stream);
+ pixman_image_unref(surface);
+ return NULL;
}
#endif
More information about the Spice-commits
mailing list