[PATCH 2/2] avoid integer underflow under 32 bit architectures

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The segment_size computation on 32 bit can lead to big numbers which
can lead to negative offset. As we test we don't overrun the buffer
avoid to underrun it as we don't have a check for this.

Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
---
 server/red-parse-qxl.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/server/red-parse-qxl.c b/server/red-parse-qxl.c
index 7678c7e..721c861 100644
--- a/server/red-parse-qxl.c
+++ b/server/red-parse-qxl.c
@@ -276,6 +276,9 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id,
         count = start->count;
         segment_size = sizeof(SpicePathSeg) + (uint64_t) count * sizeof(SpicePointFix);
         mem_size += sizeof(SpicePathSeg *) + SPICE_ALIGN(segment_size, 4);
+        /* avoid going backward with 32 bit architectures */
+        spice_assert((uint64_t) count * sizeof(QXLPointFix)
+                     <= (char*) end - (char*) &start->points[0]);
         start = (QXLPathSeg*)(&start->points[count]);
     }
 
-- 
2.7.4

_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel




[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]     [Monitors]