Prevent data_size to be set independently from data

There was not check for data_size field so one could set data to a small set of data and data_size much bigger than size of data leading to buffer overflow. Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
author: Frediano Ziglio <fziglio@redhat.com> 2015-09-17 14:28:36 +0100
committer: Frediano Ziglio <fziglio@redhat.com> 2015-10-06 11:11:11 +0100
commit: b3be589ab3b32af3e470a9dec19a61fb086f72fc (patch)
tree: 98fa5e94b2219b8963cea6feb140320eef8f7b83
parent: 2b6695f1222f68690ea230e4e37ded7e07188f06 (diff)
download: spice-b3be589ab3b32af3e470a9dec19a61fb086f72fc.tar.gz
spice-b3be589ab3b32af3e470a9dec19a61fb086f72fc.tar.xz
spice-b3be589ab3b32af3e470a9dec19a61fb086f72fc.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c
index c7f8650a..3ce44314 100644
--- a/server/red_parse_qxl.c
+++ b/server/red_parse_qxl.c
@@ -1388,6 +1388,7 @@ static int red_get_cursor(RedMemSlotInfo *slots, int group_id,
     size = red_get_data_chunks_ptr(slots, group_id,
                                    get_memslot_id(slots, addr),
                                    &chunks, &qxl->chunk);
+    red->data_size = MIN(red->data_size, size);
     data = red_linearize_chunk(&chunks, size, &free_data);
     red_put_data_chunks(&chunks);
     if (free_data) {
author	Frediano Ziglio <fziglio@redhat.com>	2015-09-17 14:28:36 +0100
committer	Frediano Ziglio <fziglio@redhat.com>	2015-10-06 11:11:11 +0100
commit	b3be589ab3b32af3e470a9dec19a61fb086f72fc (patch)
tree	98fa5e94b2219b8963cea6feb140320eef8f7b83
parent	2b6695f1222f68690ea230e4e37ded7e07188f06 (diff)
download	spice-b3be589ab3b32af3e470a9dec19a61fb086f72fc.tar.gz spice-b3be589ab3b32af3e470a9dec19a61fb086f72fc.tar.xz spice-b3be589ab3b32af3e470a9dec19a61fb086f72fc.zip