1 From caec52dc77af6ebdac3219a1b10fe2293af21208 Mon Sep 17 00:00:00 2001
2 From: Frediano Ziglio <fziglio@redhat.com>
3 Date: Tue, 8 Sep 2015 10:13:24 +0100
4 Subject: [PATCH 11/19] Fix integer overflow computing glyph_size in
7 If bpp is int the formula can lead to weird overflows. width and height
8 are uint16_t so the formula is:
10 size_t = u16 * (u16 * int + const_int) / const_int;
14 size_t = (int) u16 * ((int) u16 * int + const_int) / const_int;
16 However the (int) u16 * (int) u16 can then became negative to overflow.
17 Under 64 bit architectures size_t is 64 and int usually 32 so converting
18 this negative 32 bit number to a unsigned 64 bit lead to a very big
19 number as the signed is extended and then converted to unsigned.
20 Using unsigned arithmetic prevent extending the sign.
22 Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
23 Acked-by: Christophe Fergeau <cfergeau@redhat.com>
25 server/red_parse_qxl.c | 8 +++++---
26 1 file changed, 5 insertions(+), 3 deletions(-)
28 --- a/server/red_parse_qxl.c
29 +++ b/server/red_parse_qxl.c
30 @@ -808,7 +808,9 @@ static SpiceString *red_get_string(RedMe
33 size_t chunk_size, qxl_size, red_size, glyph_size;
34 - int glyphs, bpp = 0, i;
36 + /* use unsigned to prevent integer overflow in multiplication below */
37 + unsigned int bpp = 0;
39 uint16_t qxl_flags, qxl_length;
41 @@ -847,7 +849,7 @@ static SpiceString *red_get_string(RedMe
43 spice_assert((QXLRasterGlyph*)(&start->data[0]) <= end);
45 - glyph_size = start->height * ((start->width * bpp + 7) / 8);
46 + glyph_size = start->height * ((start->width * bpp + 7u) / 8u);
47 red_size += sizeof(SpiceRasterGlyph *) + SPICE_ALIGN(sizeof(SpiceRasterGlyph) + glyph_size, 4);
48 start = (QXLRasterGlyph*)(&start->data[glyph_size]);
50 @@ -868,7 +870,7 @@ static SpiceString *red_get_string(RedMe
51 glyph->height = start->height;
52 red_get_point_ptr(&glyph->render_pos, &start->render_pos);
53 red_get_point_ptr(&glyph->glyph_origin, &start->glyph_origin);
54 - glyph_size = glyph->height * ((glyph->width * bpp + 7) / 8);
55 + glyph_size = glyph->height * ((glyph->width * bpp + 7u) / 8u);
56 spice_assert((QXLRasterGlyph*)(&start->data[glyph_size]) <= end);
57 memcpy(glyph->data, start->data, glyph_size);
58 start = (QXLRasterGlyph*)(&start->data[glyph_size]);