[Spice-commits] 2 commits - server/red-worker.c
GitLab Mirror
gitlab-mirror at kemper.freedesktop.org
Thu Mar 21 11:16:02 UTC 2019
server/red-worker.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
New commits:
commit 4f8db6fac3cf2e5b1c94b16525bbee45607da545
Author: Christophe Fergeau <cfergeau at redhat.com>
Date: Wed Mar 20 15:56:07 2019 +0000
worker: Fix potential sprintf overflow
If worker->qxl->id is bigger than 0x7ffffff (in other words, it's a
negative signed int) then
printf(worker_str, "display[%d]", worker->qxl->id);
will need:
"display[]" -> 9 bytes
%d -> 11 bytes
The trailing \0 will thus overflow our 20 bytes destination.
As QXLInstance::id should be an unsigned int, this commit changes the
format string to use %u. This also switches to snprintf.
Signed-off-by: Christophe Fergeau <cfergeau at redhat.com>
Acked-by: Frediano Ziglio <fziglio at redhat.com>
diff --git a/server/red-worker.c b/server/red-worker.c
index 8051d1e4..99369a0c 100644
--- a/server/red-worker.c
+++ b/server/red-worker.c
@@ -1291,7 +1291,7 @@ RedWorker* red_worker_new(QXLInstance *qxl,
worker->zlib_glz_state = reds_get_zlib_glz_state(reds);
worker->driver_cap_monitors_config = 0;
char worker_str[SPICE_STAT_NODE_NAME_MAX];
- sprintf(worker_str, "display[%d]", worker->qxl->id);
+ snprintf(worker_str, sizeof(worker_str), "display[%d]", worker->qxl->id & 0xff);
stat_init_node(&worker->stat, reds, NULL, worker_str, TRUE);
stat_init_counter(&worker->wakeup_counter, reds, &worker->stat, "wakeups", TRUE);
stat_init_counter(&worker->command_counter, reds, &worker->stat, "commands", TRUE);
commit bcf55b978ff0e8100ea134cf0a260f2610d936fa
Author: Frediano Ziglio <fziglio at redhat.com>
Date: Wed Mar 20 14:48:29 2019 +0000
red-worker: Use mnemonic for statistic buffer
Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
Acked-by: Christophe Fergeau <cfergeau at redhat.com>
diff --git a/server/red-worker.c b/server/red-worker.c
index 3cb12b9c..8051d1e4 100644
--- a/server/red-worker.c
+++ b/server/red-worker.c
@@ -32,6 +32,7 @@
#include <spice/protocol.h>
#include <spice/qxl_dev.h>
+#include <spice/stats.h>
#include <common/lz.h>
#include <common/rect.h>
#include <common/region.h>
@@ -1289,7 +1290,7 @@ RedWorker* red_worker_new(QXLInstance *qxl,
worker->jpeg_state = reds_get_jpeg_state(reds);
worker->zlib_glz_state = reds_get_zlib_glz_state(reds);
worker->driver_cap_monitors_config = 0;
- char worker_str[20];
+ char worker_str[SPICE_STAT_NODE_NAME_MAX];
sprintf(worker_str, "display[%d]", worker->qxl->id);
stat_init_node(&worker->stat, reds, NULL, worker_str, TRUE);
stat_init_counter(&worker->wakeup_counter, reds, &worker->stat, "wakeups", TRUE);
More information about the Spice-commits
mailing list