debian/patches/CVE-2015-5260_CVE-2015-5261/0008-Fix-race-condition-on-red_get_clip_rects.patch

   1 From 3dfd1a08286d524a742d51952595fcfb6f0c6f1b Mon Sep 17 00:00:00 2001
   2 From: Frediano Ziglio <fziglio@redhat.com>
   3 Date: Tue, 8 Sep 2015 10:01:51 +0100
   4 Subject: [PATCH 08/19] Fix race condition on red_get_clip_rects
   5
   6 Do not read multiple time an array size that can be changed.
   7
   8 Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
   9 Acked-by: Christophe Fergeau <cfergeau@redhat.com>
  10 ---
  11  server/red_parse_qxl.c | 8 +++++---
  12  1 file changed, 5 insertions(+), 3 deletions(-)
  13
  14 diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c
  15 index 40c1c99..a9f3ca1 100644
  16 --- a/server/red_parse_qxl.c
  17 +++ b/server/red_parse_qxl.c
  18 @@ -273,6 +273,7 @@ static SpiceClipRects *red_get_clip_rects(RedMemSlotInfo *slots, int group_id,
  19      size_t size;
  20      int i;
  21      int error;
  22 +    uint32_t num_rects;
  23
  24      qxl = (QXLClipRects *)get_virt(slots, addr, sizeof(*qxl), group_id, &error);
  25      if (error) {
  26 @@ -284,9 +285,10 @@ static SpiceClipRects *red_get_clip_rects(RedMemSlotInfo *slots, int group_id,
  27      data = red_linearize_chunk(&chunks, size, &free_data);
  28      red_put_data_chunks(&chunks);
  29
  30 -    spice_assert(qxl->num_rects * sizeof(QXLRect) == size);
  31 -    red = spice_malloc(sizeof(*red) + qxl->num_rects * sizeof(SpiceRect));
  32 -    red->num_rects = qxl->num_rects;
  33 +    num_rects = qxl->num_rects;
  34 +    spice_assert(num_rects * sizeof(QXLRect) == size);
  35 +    red = spice_malloc(sizeof(*red) + num_rects * sizeof(SpiceRect));
  36 +    red->num_rects = num_rects;
  37
  38      start = (QXLRect*)data;
  39      for (i = 0; i < red->num_rects; i++) {
  40 --
  41 2.6.1
  42