[PATCH 4/4] prevent integer overflow in red_get_clip_rects

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
Acked-by: Christophe Fergeau <cfergeau@xxxxxxxxxx>
---
 server/red-parse-qxl.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/server/red-parse-qxl.c b/server/red-parse-qxl.c
index 54b1fd4..28f8876 100644
--- a/server/red-parse-qxl.c
+++ b/server/red-parse-qxl.c
@@ -340,7 +340,12 @@ static SpiceClipRects *red_get_clip_rects(RedMemSlotInfo *slots, int group_id,
     red_put_data_chunks(&chunks);
 
     num_rects = qxl->num_rects;
-    spice_assert(num_rects * sizeof(QXLRect) == size);
+    /* The cast is needed to prevent 32 bit integer overflows.
+     * This check is enough as size is limited to 31 bit
+     * by red_get_data_chunks_ptr checks.
+     */
+    spice_assert((uint64_t) num_rects * sizeof(QXLRect) == size);
+    G_STATIC_ASSERT(sizeof(SpiceRect) == sizeof(QXLRect));
     red = spice_malloc(sizeof(*red) + num_rects * sizeof(SpiceRect));
     red->num_rects = num_rects;
 
-- 
2.4.3

_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/spice-devel
[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]     [Monitors]