encodes_ones is called to encode a long sequence of 1 bits.
In some conditions (I manage to reproduce with a 85000x4 pixel
image fill with a single color) encodes_ones is called with a
"n" value >= 32.
This cause encode to be called with a "len" value of 32 which
trigger this assert:
spice_assert(len > 0 && len < 32);
causing a crash. Instead of calling encode with a constant
"len" as 32 call encode_32 which is supposed to encode
exactly 32 bit.
Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
---
common/quic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/common/quic.c b/common/quic.c
index 1be28c6..e097064 100644
--- a/common/quic.c
+++ b/common/quic.c
@@ -507,7 +507,7 @@ static inline void encode_ones(Encoder *encoder, unsigned int n)
unsigned int count;
for (count = n >> 5; count; count--) {
- encode(encoder, ~0U, 32);
+ encode_32(encoder, ~0U);
}
if ((n &= 0x1f)) {
--
2.13.4
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel