Prevent possible buffer reading overflow.
Note that message pointer must be valid and data are checked
value by value so even on overflow you just get an error.
Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
---
server/inputs-channel.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/server/inputs-channel.c b/server/inputs-channel.c
index 2de1c7c80..3d43e90ff 100644
--- a/server/inputs-channel.c
+++ b/server/inputs-channel.c
@@ -507,6 +507,11 @@ static bool inputs_channel_handle_migrate_data(RedChannelClient *rcc,
SpiceMigrateDataHeader *header;
SpiceMigrateDataInputs *mig_data;
+ if (size < sizeof(SpiceMigrateDataHeader) + sizeof(SpiceMigrateDataInputs)) {
+ spice_warning("bad message size %u", size);
+ return FALSE;
+ }
+
header = (SpiceMigrateDataHeader *)message;
mig_data = (SpiceMigrateDataInputs *)(header + 1);
--
2.13.6
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel