1 From a447c4f2ac19a1fa36330ffc90ee70b953b82050 Mon Sep 17 00:00:00 2001
2 From: Frediano Ziglio <fziglio@redhat.com>
3 Date: Tue, 8 Sep 2015 13:06:03 +0100
4 Subject: [PATCH 15/19] Fix some possible overflows in red_get_string for 32
7 Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
8 Acked-by: Christophe Fergeau <cfergeau@redhat.com>
10 server/red_parse_qxl.c | 8 +++++++-
11 1 file changed, 7 insertions(+), 1 deletion(-)
13 --- a/server/red_parse_qxl.c
14 +++ b/server/red_parse_qxl.c
15 @@ -896,6 +896,11 @@ static SpiceString *red_get_string(RedMe
17 glyph_size = start->height * ((start->width * bpp + 7u) / 8u);
18 red_size += sizeof(SpiceRasterGlyph *) + SPICE_ALIGN(sizeof(SpiceRasterGlyph) + glyph_size, 4);
19 + /* do the test correctly, we know end - start->data[0] cannot
20 + * overflow, don't use start->data[glyph_size] to test for
21 + * buffer overflow as this on 32 bit can cause overflow
22 + * on the pointer arithmetic */
23 + spice_assert(glyph_size <= (char*) end - (char*) &start->data[0]);
24 start = (QXLRasterGlyph*)(&start->data[glyph_size]);
26 spice_assert(start <= end);
27 @@ -916,7 +921,8 @@ static SpiceString *red_get_string(RedMe
28 red_get_point_ptr(&glyph->render_pos, &start->render_pos);
29 red_get_point_ptr(&glyph->glyph_origin, &start->glyph_origin);
30 glyph_size = glyph->height * ((glyph->width * bpp + 7u) / 8u);
31 - spice_assert((QXLRasterGlyph*)(&start->data[glyph_size]) <= end);
32 + /* see above for similar test */
33 + spice_assert(glyph_size <= (char*) end - (char*) &start->data[0]);
34 memcpy(glyph->data, start->data, glyph_size);
35 start = (QXLRasterGlyph*)(&start->data[glyph_size]);
36 glyph = (SpiceRasterGlyph*)
projects / pve-libspice-server.git / blob