Although source of these data should be safe improve data checks
to avoid some overflows and make the code more robust.
Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
---
vdagent/vdagent.cpp | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/vdagent/vdagent.cpp b/vdagent/vdagent.cpp
index 7318725..60a6121 100644
--- a/vdagent/vdagent.cpp
+++ b/vdagent/vdagent.cpp
@@ -1314,7 +1314,7 @@ VOID VDAgent::read_completion(DWORD err, DWORD bytes, LPOVERLAPPED overlapped)
count = sizeof(VDIChunk) - a->_read_pos;
} else if (a->_read_pos == sizeof(VDIChunk)) {
count = chunk->hdr.size;
- if (a->_read_pos + count > sizeof(a->_read_buf)) {
+ if (count > sizeof(a->_read_buf) - a->_read_pos) {
vd_printf("chunk is too large, size %u port %u", chunk->hdr.size, chunk->hdr.port);
a->_running = false;
return;
@@ -1366,6 +1366,12 @@ void VDAgent::handle_chunk(VDIChunk* chunk)
}
// append chunk to partial message
+ if (chunk->hdr.size > sizeof(VDAgentMessage) + _in_msg->size - _in_msg_pos) {
+ vd_printf("Invalid VDAgentMessage message");
+ _running = false;
+ return;
+ }
+
memcpy((uint8_t*)_in_msg + _in_msg_pos, chunk->data, chunk->hdr.size);
_in_msg_pos += chunk->hdr.size;
// update clipboard tick on each clipboard chunk for timeout setting
--
2.17.1
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel