[Spice-devel] [PATCH 1/2] fix integer overflows in red_get_path

Frediano Ziglio fziglio at redhat.com
Fri Jun 3 12:03:34 UTC 2016


Use 64 bit arithmetic to avoid overflows.
The multiplication between count and a constant can overflow.

Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
---
 server/red-parse-qxl.c | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

diff --git a/server/red-parse-qxl.c b/server/red-parse-qxl.c
index 0fdf912..7678c7e 100644
--- a/server/red-parse-qxl.c
+++ b/server/red-parse-qxl.c
@@ -246,7 +246,8 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id,
     bool free_data;
     QXLPath *qxl;
     SpicePath *red;
-    size_t size, mem_size, mem_size2, dsize, segment_size;
+    size_t size;
+    uint64_t mem_size, mem_size2, segment_size;
     int n_segments;
     int i;
     uint32_t count;
@@ -273,7 +274,7 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id,
     while (start+1 < end) {
         n_segments++;
         count = start->count;
-        segment_size = sizeof(SpicePathSeg) + count * sizeof(SpicePointFix);
+        segment_size = sizeof(SpicePathSeg) + (uint64_t) count * sizeof(SpicePointFix);
         mem_size += sizeof(SpicePathSeg *) + SPICE_ALIGN(segment_size, 4);
         start = (QXLPathSeg*)(&start->points[count]);
     }
@@ -292,14 +293,8 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id,
 
         /* Protect against overflow in size calculations before
            writing to memory */
-        spice_assert(mem_size2 + sizeof(SpicePathSeg) > mem_size2);
-        mem_size2  += sizeof(SpicePathSeg);
-        spice_assert(count < UINT32_MAX / sizeof(SpicePointFix));
-        dsize = count * sizeof(SpicePointFix);
-        spice_assert(mem_size2 + dsize > mem_size2);
-        mem_size2  += dsize;
-
         /* Verify that we didn't overflow due to guest changing data */
+        mem_size2 += sizeof(SpicePathSeg) + (uint64_t) count * sizeof(SpicePointFix);
         spice_assert(mem_size2 <= mem_size);
 
         seg->flags = start->flags;
-- 
2.7.4



More information about the Spice-devel mailing list