[Spice-devel] [PATCH spice-common] quic: avoid crash on specific images
Jonathon Jongsma
jjongsma at redhat.com
Wed Aug 23 20:28:16 UTC 2017
Acked-by: Jonathon Jongsma <jjongsma at redhat.com>
On Mon, 2017-08-21 at 09:31 -0400, Frediano Ziglio wrote:
> ping
>
> >
> > encodes_ones is called to encode a long sequence of 1 bits.
> > In some conditions (I manage to reproduce with a 85000x4 pixel
> > image fill with a single color) encodes_ones is called with a
> > "n" value >= 32.
> > This cause encode to be called with a "len" value of 32 which
> > trigger this assert:
> >
> > spice_assert(len > 0 && len < 32);
> >
> > causing a crash. Instead of calling encode with a constant
> > "len" as 32 call encode_32 which is supposed to encode
> > exactly 32 bit.
> >
> > Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
> > ---
> > common/quic.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/common/quic.c b/common/quic.c
> > index 1be28c6..e097064 100644
> > --- a/common/quic.c
> > +++ b/common/quic.c
> > @@ -507,7 +507,7 @@ static inline void encode_ones(Encoder
> > *encoder, unsigned
> > int n)
> > unsigned int count;
> >
> > for (count = n >> 5; count; count--) {
> > - encode(encoder, ~0U, 32);
> > + encode_32(encoder, ~0U);
> > }
> >
> > if ((n &= 0x1f)) {
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/spice-devel
More information about the Spice-devel
mailing list