debian/patches/CVE-2015-5260_CVE-2015-5261/0011-Fix-integer-overflow-computing-glyph_size-in-red_get.patch

   1 From caec52dc77af6ebdac3219a1b10fe2293af21208 Mon Sep 17 00:00:00 2001
   2 From: Frediano Ziglio <fziglio@redhat.com>
   3 Date: Tue, 8 Sep 2015 10:13:24 +0100
   4 Subject: [PATCH 11/19] Fix integer overflow computing glyph_size in
   5  red_get_string
   6
   7 If bpp is int the formula can lead to weird overflows. width and height
   8 are uint16_t so the formula is:
   9
  10   size_t = u16 * (u16 * int + const_int) / const_int;
  11
  12 so it became
  13
  14   size_t = (int) u16 * ((int) u16 * int + const_int) / const_int;
  15
  16 However the (int) u16 * (int) u16 can then became negative to overflow.
  17 Under 64 bit architectures size_t is 64 and int usually 32 so converting
  18 this negative 32 bit number to a unsigned 64 bit lead to a very big
  19 number as the signed is extended and then converted to unsigned.
  20 Using unsigned arithmetic prevent extending the sign.
  21
  22 Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
  23 Acked-by: Christophe Fergeau <cfergeau@redhat.com>
  24 ---
  25  server/red_parse_qxl.c | 8 +++++---
  26  1 file changed, 5 insertions(+), 3 deletions(-)
  27
  28 --- a/server/red_parse_qxl.c
  29 +++ b/server/red_parse_qxl.c
  30 @@ -808,7 +808,9 @@ static SpiceString *red_get_string(RedMe
  31      uint8_t *data;
  32      bool free_data;
  33      size_t chunk_size, qxl_size, red_size, glyph_size;
  34 -    int glyphs, bpp = 0, i;
  35 +    int glyphs, i;
  36 +    /* use unsigned to prevent integer overflow in multiplication below */
  37 +    unsigned int bpp = 0;
  38      int error;
  39      uint16_t qxl_flags, qxl_length;
  40
  41 @@ -847,7 +849,7 @@ static SpiceString *red_get_string(RedMe
  42      while (start < end) {
  43          spice_assert((QXLRasterGlyph*)(&start->data[0]) <= end);
  44          glyphs++;
  45 -        glyph_size = start->height * ((start->width * bpp + 7) / 8);
  46 +        glyph_size = start->height * ((start->width * bpp + 7u) / 8u);
  47          red_size += sizeof(SpiceRasterGlyph *) + SPICE_ALIGN(sizeof(SpiceRasterGlyph) + glyph_size, 4);
  48          start = (QXLRasterGlyph*)(&start->data[glyph_size]);
  49      }
  50 @@ -868,7 +870,7 @@ static SpiceString *red_get_string(RedMe
  51          glyph->height = start->height;
  52          red_get_point_ptr(&glyph->render_pos, &start->render_pos);
  53          red_get_point_ptr(&glyph->glyph_origin, &start->glyph_origin);
  54 -        glyph_size = glyph->height * ((glyph->width * bpp + 7) / 8);
  55 +        glyph_size = glyph->height * ((glyph->width * bpp + 7u) / 8u);
  56          spice_assert((QXLRasterGlyph*)(&start->data[glyph_size]) <= end);
  57          memcpy(glyph->data, start->data, glyph_size);
  58          start = (QXLRasterGlyph*)(&start->data[glyph_size]);