[Spice-devel] [PATCH spice-server v2 2/2] worker: Fix potential sprintf overflow
Frediano Ziglio
fziglio at redhat.com
Wed Mar 20 15:57:46 UTC 2019
From: Christophe Fergeau <cfergeau at redhat.com>
If worker->qxl->id is bigger than 0x7ffffff (in other words, it's a
negative signed int) then
printf(worker_str, "display[%d]", worker->qxl->id);
will need:
"display[]" -> 9 bytes
%d -> 11 bytes
The trailing \0 will thus overflow our 20 bytes destination.
As QXLInstance::id should be an unsigned int, this commit changes the
format string to use %u. This also switches to snprintf.
---
server/red-worker.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/server/red-worker.c b/server/red-worker.c
index 8051d1e4..50612aca 100644
--- a/server/red-worker.c
+++ b/server/red-worker.c
@@ -1291,7 +1291,7 @@ RedWorker* red_worker_new(QXLInstance *qxl,
worker->zlib_glz_state = reds_get_zlib_glz_state(reds);
worker->driver_cap_monitors_config = 0;
char worker_str[SPICE_STAT_NODE_NAME_MAX];
- sprintf(worker_str, "display[%d]", worker->qxl->id);
+ snprintf(worker_str, sizeof(worker_str), "display[%u]", (unsigned int)worker->qxl->id);
stat_init_node(&worker->stat, reds, NULL, worker_str, TRUE);
stat_init_counter(&worker->wakeup_counter, reds, &worker->stat, "wakeups", TRUE);
stat_init_counter(&worker->command_counter, reds, &worker->stat, "commands", TRUE);
--
2.20.1
More information about the Spice-devel
mailing list