debian/patches/CVE-2015-5260_CVE-2015-5261/0017-Avoid-race-condition-copying-segments-in-red_get_pat.patch

   1 From 2b6695f1222f68690ea230e4e37ded7e07188f06 Mon Sep 17 00:00:00 2001
   2 From: Frediano Ziglio <fziglio@redhat.com>
   3 Date: Tue, 15 Sep 2015 16:38:23 +0100
   4 Subject: [PATCH 17/19] Avoid race condition copying segments in red_get_path
   5
   6 The guest can attempt to increase the number of segments while
   7 spice-server is reading them.
   8 Make sure we don't copy more then the allocated segments.
   9
  10 Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
  11 Acked-by: Christophe Fergeau <cfergeau@redhat.com>
  12 ---
  13  server/red_parse_qxl.c | 2 +-
  14  1 file changed, 1 insertion(+), 1 deletion(-)
  15
  16 diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c
  17 index 281faad..c7f8650 100644
  18 --- a/server/red_parse_qxl.c
  19 +++ b/server/red_parse_qxl.c
  20 @@ -272,7 +272,7 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id,
  21      seg = (SpicePathSeg*)&red->segments[n_segments];
  22      n_segments = 0;
  23      mem_size2 = sizeof(*red);
  24 -    while (start+1 < end) {
  25 +    while (start+1 < end && n_segments < red->num_segments) {
  26          red->segments[n_segments++] = seg;
  27          count = start->count;
  28
  29 --
  30 2.6.1
  31