The segment_size computation on 32 bit can lead to big numbers which
can lead to negative offset. As we test we don't overrun the buffer
avoid to underrun it as we don't have a check for this.
Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
---
server/red-parse-qxl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/server/red-parse-qxl.c b/server/red-parse-qxl.c
index 7678c7e..721c861 100644
--- a/server/red-parse-qxl.c
+++ b/server/red-parse-qxl.c
@@ -276,6 +276,9 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id,
count = start->count;
segment_size = sizeof(SpicePathSeg) + (uint64_t) count * sizeof(SpicePointFix);
mem_size += sizeof(SpicePathSeg *) + SPICE_ALIGN(segment_size, 4);
+ /* avoid going backward with 32 bit architectures */
+ spice_assert((uint64_t) count * sizeof(QXLPointFix)
+ <= (char*) end - (char*) &start->points[0]);
start = (QXLPathSeg*)(&start->points[count]);
}
--
2.7.4
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel