From: Frediano Ziglio <freddy77@xxxxxxxxx> Avoid some overflow in code due to images too big or negative numbers. Signed-off-by: Frediano Ziglio <freddy77@xxxxxxxxx> Acked-by: Uri Lublin <uril@xxxxxxxxxx> --- common/quic.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/common/quic.c b/common/quic.c index bc753ca..6815316 100644 --- a/common/quic.c +++ b/common/quic.c @@ -56,6 +56,9 @@ typedef uint8_t BYTE; #define MINwminext 1 #define MAXwminext 100000000 +/* Maximum image size in pixels, mainly to avoid possible integer overflows */ +#define SPICE_MAX_IMAGE_SIZE (512 * 1024 * 1024 - 1) + typedef struct QuicFamily { unsigned int nGRcodewords[MAXNUMCODES]; /* indexed by code number, contains number of unmodified GR codewords in the code */ @@ -1165,6 +1168,16 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w height = encoder->io_word; decode_eat32bits(encoder); + if (width <= 0 || height <= 0) { + encoder->usr->warn(encoder->usr, "invalid size\n"); + return QUIC_ERROR; + } + + /* avoid too big images */ + if ((uint64_t) width * height > SPICE_MAX_IMAGE_SIZE) { + encoder->usr->error(encoder->usr, "image too large\n"); + } + quic_image_params(encoder, type, &channels, &bpc); if (!encoder_reset_channels(encoder, channels, width, bpc)) { -- 2.26.2 _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/spice-devel