On Fri, Jun 3, 2016 at 2:03 PM, Frediano Ziglio <fziglio@xxxxxxxxxx> wrote: > The segment_size computation on 32 bit can lead to big numbers which > can lead to negative offset. As we test we don't overrun the buffer > avoid to underrun it as we don't have a check for this. The last sentence in the commit message is a bit confusing. "let s avoid to underrun the buffer, as it's not checked", maybe? > > Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx> > --- > server/red-parse-qxl.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/server/red-parse-qxl.c b/server/red-parse-qxl.c > index 7678c7e..721c861 100644 > --- a/server/red-parse-qxl.c > +++ b/server/red-parse-qxl.c > @@ -276,6 +276,9 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id, > count = start->count; > segment_size = sizeof(SpicePathSeg) + (uint64_t) count * sizeof(SpicePointFix); > mem_size += sizeof(SpicePathSeg *) + SPICE_ALIGN(segment_size, 4); > + /* avoid going backward with 32 bit architectures */ > + spice_assert((uint64_t) count * sizeof(QXLPointFix) > + <= (char*) end - (char*) &start->points[0]); > start = (QXLPathSeg*)(&start->points[count]); > } > > -- > 2.7.4 > > _______________________________________________ > Spice-devel mailing list > Spice-devel@xxxxxxxxxxxxxxxxxxxxx > https://lists.freedesktop.org/mailman/listinfo/spice-devel Acked-by: Fabiano Fidêncio <fidencio@xxxxxxxxxx> -- Fabiano Fidêncio _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/spice-devel