[Spice-devel] [PATCH spice-server v2 2/2] worker: Fix potential sprintf overflow

Frediano Ziglio fziglio at redhat.com
Wed Mar 20 15:57:46 UTC 2019


From: Christophe Fergeau <cfergeau at redhat.com>

If worker->qxl->id is bigger than 0x7ffffff (in other words, it's a
negative signed int) then
printf(worker_str, "display[%d]", worker->qxl->id);
will need:

"display[]" -> 9 bytes
%d -> 11 bytes

The trailing \0 will thus overflow our 20 bytes destination.
As QXLInstance::id should be an unsigned int, this commit changes the
format string to use %u. This also switches to snprintf.
---
 server/red-worker.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/red-worker.c b/server/red-worker.c
index 8051d1e4..50612aca 100644
--- a/server/red-worker.c
+++ b/server/red-worker.c
@@ -1291,7 +1291,7 @@ RedWorker* red_worker_new(QXLInstance *qxl,
     worker->zlib_glz_state = reds_get_zlib_glz_state(reds);
     worker->driver_cap_monitors_config = 0;
     char worker_str[SPICE_STAT_NODE_NAME_MAX];
-    sprintf(worker_str, "display[%d]", worker->qxl->id);
+    snprintf(worker_str, sizeof(worker_str), "display[%u]", (unsigned int)worker->qxl->id);
     stat_init_node(&worker->stat, reds, NULL, worker_str, TRUE);
     stat_init_counter(&worker->wakeup_counter, reds, &worker->stat, "wakeups", TRUE);
     stat_init_counter(&worker->command_counter, reds, &worker->stat, "commands", TRUE);
-- 
2.20.1



More information about the Spice-devel mailing list