[Spice-devel] [PATCH spice-server 05/16] test-display-base: Avoid global buffer overflow
Frediano Ziglio
fziglio at redhat.com
Wed Sep 6 15:54:38 UTC 2017
>
> On Mon, Sep 04, 2017 at 11:57:13AM +0100, Frediano Ziglio wrote:
> > For some reasons (documented in cursor_init) the function
> > uses 128 bytes more of data causing a reading buffer overflow.
>
> 128 extra bytes of data ?
>
> Acked-by: Christophe Fergeau <cfergeau at redhat.com>
>
There's this comment/code some lines below
// X drivers addes it to the cursor size because it could be
// cursor data information or another cursor related stuffs.
// Otherwise, the code will break in client/cursor.cpp side,
// that expect the data_size plus cursor information.
// Blame cursor protocol for this. :-)
cursor.cursor.data_size += 128;
No idea what they are talking about...
Frediano
> >
> > Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
> > ---
> > Is it still valid the reason or the buffer should be just the right
> > size? Was it a old client bug?
> > ---
> > server/tests/test-display-base.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/server/tests/test-display-base.c
> > b/server/tests/test-display-base.c
> > index f77f9659..ed62a607 100644
> > --- a/server/tests/test-display-base.c
> > +++ b/server/tests/test-display-base.c
> > @@ -694,7 +694,7 @@ static void release_resource(SPICE_GNUC_UNUSED
> > QXLInstance *qin,
> >
> > static struct {
> > QXLCursor cursor;
> > - uint8_t data[CURSOR_WIDTH * CURSOR_HEIGHT * 4]; // 32bit per pixel
> > + uint8_t data[CURSOR_WIDTH * CURSOR_HEIGHT * 4 + 128]; // 32bit per
> > pixel
> > } cursor;
> >
> > static void cursor_init(void)
More information about the Spice-devel
mailing list