On Fri, 2018-06-29 at 08:11 +0100, Frediano Ziglio wrote:
> Although source of these data should be safe improve data checks
add comma after "safe"
> to avoid some overflows and make the code more robust.
>
> Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
> ---
> vdagent/vdagent.cpp | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/vdagent/vdagent.cpp b/vdagent/vdagent.cpp
> index 7318725..60a6121 100644
> --- a/vdagent/vdagent.cpp
> +++ b/vdagent/vdagent.cpp
> @@ -1314,7 +1314,7 @@ VOID VDAgent::read_completion(DWORD err, DWORD
> bytes, LPOVERLAPPED overlapped)
> count = sizeof(VDIChunk) - a->_read_pos;
> } else if (a->_read_pos == sizeof(VDIChunk)) {
> count = chunk->hdr.size;
> - if (a->_read_pos + count > sizeof(a->_read_buf)) {
> + if (count > sizeof(a->_read_buf) - a->_read_pos) {
> vd_printf("chunk is too large, size %u port %u", chunk-
> >hdr.size, chunk->hdr.port);
> a->_running = false;
> return;
> @@ -1366,6 +1366,12 @@ void VDAgent::handle_chunk(VDIChunk* chunk)
> }
>
> // append chunk to partial message
> + if (chunk->hdr.size > sizeof(VDAgentMessage) + _in_msg->size -
> _in_msg_pos) {
> + vd_printf("Invalid VDAgentMessage message");
> + _running = false;
> + return;
> + }
> +
> memcpy((uint8_t*)_in_msg + _in_msg_pos, chunk->data, chunk-
> >hdr.size);
> _in_msg_pos += chunk->hdr.size;
> // update clipboard tick on each clipboard chunk for timeout
> setting
Acked-by: Jonathon Jongsma <jjongsma@xxxxxxxxxx>
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel