[Spice-commits] 2 commits - AUTHORS server/red-parse-qxl.cpp

GitLab Mirror gitlab-mirror at kemper.freedesktop.org
Fri Apr 23 06:06:01 UTC 2021 

 AUTHORS                  |    1 +
 server/red-parse-qxl.cpp |    3 +++
 2 files changed, 4 insertions(+)

New commits:
commit 1fae1191e55638ff7593e3bf2d8d14cafd884305
Author: Qiuhao Li <Qiuhao.Li at outlook.com>
Date:   Fri Apr 23 10:10:50 2021 +0800

    reds: fix nullptr deref in red-parse-qxl.cpp
    
    At red-parse-qxl.cpp#L535
    
            if (qxl_flags & QXL_BITMAP_DIRECT) {
                red->u.bitmap.data = red_get_image_data_flat(slots, group_id,
                                                             qxl->bitmap.data,
                                                             bitmap_size);
    
    Since qxl->bitmap.data may from the guest, an attacker can make the
    memslot_get_virt() check in red_get_image_data_flat() fail and
    return a nullptr.
    
    Then at red-parse-qxl.cpp#L550
    
            if (qxl_flags & QXL_BITMAP_UNSTABLE) {
                red->u.bitmap.data->flags |= SPICE_CHUNKS_FLAGS_UNSTABLE;
            }
    
    qxl_flags is assigned as qxl->bitmap.flags before, which can also be
    controlled by the attacker, resulting in a NULL pointer dereference.
    
    This dereference seems to be introduced by commit 5ac88aa7.
    
    Signed-off-by: Qiuhao Li <Qiuhao.Li at outlook.com>

diff --git a/server/red-parse-qxl.cpp b/server/red-parse-qxl.cpp
index 9724401d..35754362 100644
--- a/server/red-parse-qxl.cpp
+++ b/server/red-parse-qxl.cpp
@@ -535,6 +535,9 @@ static SpiceImage *red_get_image(RedMemSlotInfo *slots, int group_id,
             red->u.bitmap.data = red_get_image_data_flat(slots, group_id,
                                                          qxl->bitmap.data,
                                                          bitmap_size);
+            if (red->u.bitmap.data == nullptr) {
+                goto error;
+            }
         } else {
             size = red_get_data_chunks(slots, group_id,
                                        &chunks, qxl->bitmap.data);
commit 848c231d635ad851391437ed212580c69e6fa2e6
Author: Frediano Ziglio <freddy77 at gmail.com>
Date:   Fri Apr 23 06:52:42 2021 +0100

    syntax-check: Add missing contributor name to AUTHORS
    
    Signed-off-by: Frediano Ziglio <freddy77 at gmail.com>

diff --git a/AUTHORS b/AUTHORS
index 06f7308a..f1eb3284 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -82,5 +82,6 @@ Patches also contributed by
     Stefan Weil <sw at weilnetz.de>
     Roman Bogorodskiy <bogorodskiy at gmail.com>
     Tomasz Kłoczko <kloczek at github.com>
+    Qiuhao Li <Qiuhao.Li at outlook.com>
 
    ....send patches to get your name here...

More information about the Spice-commits mailing list