From: Frediano Ziglio <freddy77@xxxxxxxxx> The patches on this series are addressing CVE-2020-14355. Multiple buffer overflow vulnerabilities were found in the QUIC image decoding process of the SPICE remote display system. More specifically, these flaws reside in the spice-common shared code between the client and server of SPICE. In other words, both the client (spice-gtk) and server are affected by these flaws. A malicious client or server could send specially crafted messages which could result in a process crash or potential code execution scenario. * One issue leading to controlled writing overflow is due to the 'width * height' integer overflow. Using this overflow an attacker could cause small allocation and control the data using compressed data. Note that using the check for input data the attacker can avoid the crash filling the whole needed buffer. ("quic: Check image size in quic_decode_begin" patch). * Another controlled write could be achieved using the RLE decode which is done line by line, in theory with former lines writing more bytes in order to build the desired buffer content after the allocated buffer. ("quic: Check RLE lengths" patch). * The "quic: Avoid possible buffer overflow in find_bucket" is a read buffer overflow which will dereference an invalid pointer mainly causing a crash. * Embargo date+time: Tue, 06 Oct 2020, 12:00 hrs. UTC. Frediano Ziglio (6): quic: Check we have some data to start decoding quic image quic: Check image size in quic_decode_begin quic: Check RLE lengths quic: Avoid possible buffer overflow in find_bucket test-quic: Add fuzzer capabilities to the test test-quic: Add test cases for quic fuzzer common/quic.c | 15 +++++++- common/quic_family_tmpl.c | 7 +++- common/quic_tmpl.c | 6 ++- tests/fuzzer-quic-testcases/test1.quic | Bin 0 -> 4292 bytes tests/fuzzer-quic-testcases/test2.quic | Bin 0 -> 2808 bytes tests/fuzzer-quic-testcases/test3.quic | Bin 0 -> 2556 bytes tests/fuzzer-quic-testcases/test4.quic | Bin 0 -> 30892 bytes tests/test-quic.c | 51 ++++++++++++++++++++++++- 8 files changed, 75 insertions(+), 4 deletions(-) create mode 100644 tests/fuzzer-quic-testcases/test1.quic create mode 100644 tests/fuzzer-quic-testcases/test2.quic create mode 100644 tests/fuzzer-quic-testcases/test3.quic create mode 100644 tests/fuzzer-quic-testcases/test4.quic -- 2.26.2 _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/spice-devel