fix CVE-2015-3247, CVE-2015-5260, CVE-2015-5261

[pve-libspice-server.git] / debian / patches / CVE-2015-5260_CVE-2015-5261 / 0010-Fix-race-condition-in-red_get_string.patch

From dfaedec7890069b35f513e4a8ab4071ca54259ff Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Tue, 8 Sep 2015 10:05:20 +0100
Subject: [PATCH 10/19] Fix race condition in red_get_string

Do not read multiple time an array size that can be changed.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
---
 server/red_parse_qxl.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

--- a/server/red_parse_qxl.c
+++ b/server/red_parse_qxl.c
@@ -810,6 +810,7 @@ static SpiceString *red_get_string(RedMe
     size_t chunk_size, qxl_size, red_size, glyph_size;
     int glyphs, bpp = 0, i;
     int error;
+    uint16_t qxl_flags, qxl_length;
 
     qxl = (QXLString *)get_virt(slots, addr, sizeof(*qxl), group_id, &error);
     if (error) {
@@ -826,13 +827,15 @@ static SpiceString *red_get_string(RedMe
     red_put_data_chunks(&chunks);
 
     qxl_size = qxl->data_size;
+    qxl_flags = qxl->flags;
+    qxl_length = qxl->length;
     spice_assert(chunk_size == qxl_size);
 
-    if (qxl->flags & SPICE_STRING_FLAGS_RASTER_A1) {
+    if (qxl_flags & SPICE_STRING_FLAGS_RASTER_A1) {
         bpp = 1;
-    } else if (qxl->flags & SPICE_STRING_FLAGS_RASTER_A4) {
+    } else if (qxl_flags & SPICE_STRING_FLAGS_RASTER_A4) {
         bpp = 4;
-    } else if (qxl->flags & SPICE_STRING_FLAGS_RASTER_A8) {
+    } else if (qxl_flags & SPICE_STRING_FLAGS_RASTER_A8) {
         bpp = 8;
     }
     spice_assert(bpp != 0);
@@ -849,11 +852,11 @@ static SpiceString *red_get_string(RedMe
         start = (QXLRasterGlyph*)(&start->data[glyph_size]);
     }
     spice_assert(start <= end);
-    spice_assert(glyphs == qxl->length);
+    spice_assert(glyphs == qxl_length);
 
     red = spice_malloc(red_size);
-    red->length = qxl->length;
-    red->flags = qxl->flags;
+    red->length = qxl_length;
+    red->flags = qxl_flags;
 
     start = (QXLRasterGlyph*)data;
     end = (QXLRasterGlyph*)(data + chunk_size);