[Spice-devel] [PATCH 06/19] Fix buffer reading overflow
Frediano Ziglio
fziglio at redhat.com
Tue Oct 6 03:25:50 PDT 2015
Not security risk as just for read.
However, this could be used to attempt integer overflows in the
following lines.
Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
Acked-by: Christophe Fergeau <cfergeau at redhat.com>
---
server/red_parse_qxl.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c
index bdd5917..e2f95e4 100644
--- a/server/red_parse_qxl.c
+++ b/server/red_parse_qxl.c
@@ -361,7 +361,14 @@ static const int MAP_BITMAP_FMT_TO_BITS_PER_PIXEL[] = {0, 1, 1, 4, 4, 8, 16, 24,
static int bitmap_consistent(SpiceBitmap *bitmap)
{
- int bpp = MAP_BITMAP_FMT_TO_BITS_PER_PIXEL[bitmap->format];
+ int bpp;
+
+ if (bitmap->format >= SPICE_N_ELEMENTS(MAP_BITMAP_FMT_TO_BITS_PER_PIXEL)) {
+ spice_warning("wrong format specified for image\n");
+ return FALSE;
+ }
+
+ bpp = MAP_BITMAP_FMT_TO_BITS_PER_PIXEL[bitmap->format];
if (bitmap->stride < ((bitmap->x * bpp + 7) / 8)) {
spice_warning("image stride too small for width: %d < ((%d * %d + 7) / 8) (%s=%d)\n",
--
2.4.3
More information about the Spice-devel
mailing list