debian/patches/CVE-2015-5260_CVE-2015-5261/0016-Make-sure-we-can-read-QXLPathSeg-structures.patch

   1 From 2693e0497e5626642250cff47a59b3b4b2cd432d Mon Sep 17 00:00:00 2001
   2 From: Frediano Ziglio <fziglio@redhat.com>
   3 Date: Tue, 15 Sep 2015 16:25:17 +0100
   4 Subject: [PATCH 16/19] Make sure we can read QXLPathSeg structures
   5
   6 start pointer points to a QXLPathSeg structure.
   7 Before reading from the structure, make sure the structure is contained
   8 in the memory range checked.
   9
  10 Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
  11 Acked-by: Christophe Fergeau <cfergeau@redhat.com>
  12 ---
  13  server/red_parse_qxl.c | 4 ++--
  14  1 file changed, 2 insertions(+), 2 deletions(-)
  15
  16 diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c
  17 index f21bfa5..281faad 100644
  18 --- a/server/red_parse_qxl.c
  19 +++ b/server/red_parse_qxl.c
  20 @@ -256,7 +256,7 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id,
  21
  22      start = (QXLPathSeg*)data;
  23      end = (QXLPathSeg*)(data + size);
  24 -    while (start < end) {
  25 +    while (start+1 < end) {
  26          n_segments++;
  27          count = start->count;
  28          segment_size = sizeof(SpicePathSeg) + count * sizeof(SpicePointFix);
  29 @@ -272,7 +272,7 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id,
  30      seg = (SpicePathSeg*)&red->segments[n_segments];
  31      n_segments = 0;
  32      mem_size2 = sizeof(*red);
  33 -    while (start < end) {
  34 +    while (start+1 < end) {
  35          red->segments[n_segments++] = seg;
  36          count = start->count;
  37
  38 --
  39 2.6.1
  40