Re: [PATCH 1/2] fix integer overflows in red_get_path

Fabiano Fidêncio <fabiano@xxxxxxxxxxxx> · Sun, 5 Jun 2016 09:21:53 +0200



On Fri, Jun 3, 2016 at 2:03 PM, Frediano Ziglio <fziglio@xxxxxxxxxx> wrote:
> Use 64 bit arithmetic to avoid overflows.
> The multiplication between count and a constant can overflow.
>
> Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
> ---
>  server/red-parse-qxl.c | 13 ++++---------
>  1 file changed, 4 insertions(+), 9 deletions(-)
>
> diff --git a/server/red-parse-qxl.c b/server/red-parse-qxl.c
> index 0fdf912..7678c7e 100644
> --- a/server/red-parse-qxl.c
> +++ b/server/red-parse-qxl.c
> @@ -246,7 +246,8 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id,
>      bool free_data;
>      QXLPath *qxl;
>      SpicePath *red;
> -    size_t size, mem_size, mem_size2, dsize, segment_size;
> +    size_t size;
> +    uint64_t mem_size, mem_size2, segment_size;
>      int n_segments;
>      int i;
>      uint32_t count;
> @@ -273,7 +274,7 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id,
>      while (start+1 < end) {
>          n_segments++;
>          count = start->count;
> -        segment_size = sizeof(SpicePathSeg) + count * sizeof(SpicePointFix);
> +        segment_size = sizeof(SpicePathSeg) + (uint64_t) count * sizeof(SpicePointFix);
>          mem_size += sizeof(SpicePathSeg *) + SPICE_ALIGN(segment_size, 4);
>          start = (QXLPathSeg*)(&start->points[count]);
>      }
> @@ -292,14 +293,8 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id,
>
>          /* Protect against overflow in size calculations before
>             writing to memory */
> -        spice_assert(mem_size2 + sizeof(SpicePathSeg) > mem_size2);
> -        mem_size2  += sizeof(SpicePathSeg);
> -        spice_assert(count < UINT32_MAX / sizeof(SpicePointFix));
> -        dsize = count * sizeof(SpicePointFix);
> -        spice_assert(mem_size2 + dsize > mem_size2);
> -        mem_size2  += dsize;
> -
>          /* Verify that we didn't overflow due to guest changing data */
> +        mem_size2 += sizeof(SpicePathSeg) + (uint64_t) count * sizeof(SpicePointFix);
>          spice_assert(mem_size2 <= mem_size);
>
>          seg->flags = start->flags;
> --
> 2.7.4
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel@xxxxxxxxxxxxxxxxxxxxx
> https://lists.freedesktop.org/mailman/listinfo/spice-devel

Acked-by: Fabiano Fidêncio <fidencio@xxxxxxxxxx>

-- 
Fabiano Fidêncio
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel