The type of the image is just copied from network without
any check and later used for array indexing.
Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
---
common/lz.c | 3 +++
1 file changed, 3 insertions(+)
Changes since v3:
- just fix the issue, without changing much the code/declarations
diff --git a/common/lz.c b/common/lz.c
index b7e7d48..ff5f4ef 100644
--- a/common/lz.c
+++ b/common/lz.c
@@ -594,6 +594,9 @@ void lz_decode_begin(LzContext *lz, uint8_t *io_ptr, unsigned int num_io_bytes,
}
encoder->type = (LzImageType)decode_32(encoder);
+ if (encoder->type < 0 || encoder->type > LZ_IMAGE_TYPE_A8) {
+ encoder->usr->error(encoder->usr, "invalid lz type %d\n", encoder->type);
+ }
encoder->width = decode_32(encoder);
encoder->height = decode_32(encoder);
encoder->stride = decode_32(encoder);
--
2.17.1
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel