[PATCH 18/19] Prevent data_size to be set independently from data

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

There was not check for data_size field so one could set data to
a small set of data and data_size much bigger than size of data
leading to buffer overflow.

Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
---
 server/red_parse_qxl.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c
index c7f8650..3ce4431 100644
--- a/server/red_parse_qxl.c
+++ b/server/red_parse_qxl.c
@@ -1388,6 +1388,7 @@ static int red_get_cursor(RedMemSlotInfo *slots, int group_id,
     size = red_get_data_chunks_ptr(slots, group_id,
                                    get_memslot_id(slots, addr),
                                    &chunks, &qxl->chunk);
+    red->data_size = MIN(red->data_size, size);
     data = red_linearize_chunk(&chunks, size, &free_data);
     red_put_data_chunks(&chunks);
     if (free_data) {
-- 
2.4.3

_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/spice-devel
[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]     [Monitors]