diff options
| author | Frediano Ziglio <fziglio@redhat.com> | 2015-09-15 16:25:17 +0100 |
|---|---|---|
| committer | Frediano Ziglio <fziglio@redhat.com> | 2015-10-06 11:11:11 +0100 |
| commit | 2693e0497e5626642250cff47a59b3b4b2cd432d (patch) | |
| tree | 34bd54c0ccb2d6f60e9b3536da97227177fc8fc7 | |
| parent | a447c4f2ac19a1fa36330ffc90ee70b953b82050 (diff) | |
| download | spice-2693e0497e5626642250cff47a59b3b4b2cd432d.tar.gz spice-2693e0497e5626642250cff47a59b3b4b2cd432d.tar.xz spice-2693e0497e5626642250cff47a59b3b4b2cd432d.zip | |
Make sure we can read QXLPathSeg structures
start pointer points to a QXLPathSeg structure.
Before reading from the structure, make sure the structure is contained
in the memory range checked.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
| -rw-r--r-- | server/red_parse_qxl.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c index f21bfa55..281faad6 100644 --- a/server/red_parse_qxl.c +++ b/server/red_parse_qxl.c @@ -256,7 +256,7 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id, start = (QXLPathSeg*)data; end = (QXLPathSeg*)(data + size); - while (start < end) { + while (start+1 < end) { n_segments++; count = start->count; segment_size = sizeof(SpicePathSeg) + count * sizeof(SpicePointFix); @@ -272,7 +272,7 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id, seg = (SpicePathSeg*)&red->segments[n_segments]; n_segments = 0; mem_size2 = sizeof(*red); - while (start < end) { + while (start+1 < end) { red->segments[n_segments++] = seg; count = start->count; |