[Spice-devel] [PATCH 2/2] avoid integer underflow under 32 bit architectures
Frediano Ziglio
fziglio at redhat.com
Fri Jun 3 12:03:35 UTC 2016
The segment_size computation on 32 bit can lead to big numbers which
can lead to negative offset. As we test we don't overrun the buffer
avoid to underrun it as we don't have a check for this.
Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
---
server/red-parse-qxl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/server/red-parse-qxl.c b/server/red-parse-qxl.c
index 7678c7e..721c861 100644
--- a/server/red-parse-qxl.c
+++ b/server/red-parse-qxl.c
@@ -276,6 +276,9 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id,
count = start->count;
segment_size = sizeof(SpicePathSeg) + (uint64_t) count * sizeof(SpicePointFix);
mem_size += sizeof(SpicePathSeg *) + SPICE_ALIGN(segment_size, 4);
+ /* avoid going backward with 32 bit architectures */
+ spice_assert((uint64_t) count * sizeof(QXLPointFix)
+ <= (char*) end - (char*) &start->points[0]);
start = (QXLPathSeg*)(&start->points[count]);
}
--
2.7.4
More information about the Spice-devel
mailing list