[Spice-devel] [PATCH 1/2] fix integer overflows in red_get_path
Frediano Ziglio
fziglio at redhat.com
Fri Jun 3 12:03:34 UTC 2016
Use 64 bit arithmetic to avoid overflows.
The multiplication between count and a constant can overflow.
Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
---
server/red-parse-qxl.c | 13 ++++---------
1 file changed, 4 insertions(+), 9 deletions(-)
diff --git a/server/red-parse-qxl.c b/server/red-parse-qxl.c
index 0fdf912..7678c7e 100644
--- a/server/red-parse-qxl.c
+++ b/server/red-parse-qxl.c
@@ -246,7 +246,8 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id,
bool free_data;
QXLPath *qxl;
SpicePath *red;
- size_t size, mem_size, mem_size2, dsize, segment_size;
+ size_t size;
+ uint64_t mem_size, mem_size2, segment_size;
int n_segments;
int i;
uint32_t count;
@@ -273,7 +274,7 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id,
while (start+1 < end) {
n_segments++;
count = start->count;
- segment_size = sizeof(SpicePathSeg) + count * sizeof(SpicePointFix);
+ segment_size = sizeof(SpicePathSeg) + (uint64_t) count * sizeof(SpicePointFix);
mem_size += sizeof(SpicePathSeg *) + SPICE_ALIGN(segment_size, 4);
start = (QXLPathSeg*)(&start->points[count]);
}
@@ -292,14 +293,8 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id,
/* Protect against overflow in size calculations before
writing to memory */
- spice_assert(mem_size2 + sizeof(SpicePathSeg) > mem_size2);
- mem_size2 += sizeof(SpicePathSeg);
- spice_assert(count < UINT32_MAX / sizeof(SpicePointFix));
- dsize = count * sizeof(SpicePointFix);
- spice_assert(mem_size2 + dsize > mem_size2);
- mem_size2 += dsize;
-
/* Verify that we didn't overflow due to guest changing data */
+ mem_size2 += sizeof(SpicePathSeg) + (uint64_t) count * sizeof(SpicePointFix);
spice_assert(mem_size2 <= mem_size);
seg->flags = start->flags;
--
2.7.4
More information about the Spice-devel
mailing list