[Spice-devel] [PATCH spice-common v3] lz: Avoid buffer reading overflow checking for image type
Frediano Ziglio
fziglio at redhat.com
Tue Jun 26 09:31:00 UTC 2018
The type of the image is just copied from network without
any check and later used for array indexing.
Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
---
common/lz.c | 3 +++
1 file changed, 3 insertions(+)
Changes since v3:
- just fix the issue, without changing much the code/declarations
diff --git a/common/lz.c b/common/lz.c
index b7e7d48..ff5f4ef 100644
--- a/common/lz.c
+++ b/common/lz.c
@@ -594,6 +594,9 @@ void lz_decode_begin(LzContext *lz, uint8_t *io_ptr, unsigned int num_io_bytes,
}
encoder->type = (LzImageType)decode_32(encoder);
+ if (encoder->type < 0 || encoder->type > LZ_IMAGE_TYPE_A8) {
+ encoder->usr->error(encoder->usr, "invalid lz type %d\n", encoder->type);
+ }
encoder->width = decode_32(encoder);
encoder->height = decode_32(encoder);
encoder->stride = decode_32(encoder);
--
2.17.1
More information about the Spice-devel
mailing list