diff options
| author | Frediano Ziglio <fziglio@redhat.com> | 2015-09-08 10:00:37 +0100 |
|---|---|---|
| committer | Frediano Ziglio <fziglio@redhat.com> | 2015-10-06 11:11:10 +0100 |
| commit | 68a742aaa8d692940ac15d021799b702412887e5 (patch) | |
| tree | 86b71622e5d3f733ebf31460b17bdec66d91f8e4 /server/red_parse_qxl.c | |
| parent | 1eb93baa3c594e1214b1c92bbad8a06e9c7e2d12 (diff) | |
| download | spice-68a742aaa8d692940ac15d021799b702412887e5.tar.gz spice-68a742aaa8d692940ac15d021799b702412887e5.tar.xz spice-68a742aaa8d692940ac15d021799b702412887e5.zip | |
Fix buffer reading overflow
Not security risk as just for read.
However, this could be used to attempt integer overflows in the
following lines.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
Diffstat (limited to 'server/red_parse_qxl.c')
| -rw-r--r-- | server/red_parse_qxl.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c index bdd59175..e2f95e43 100644 --- a/server/red_parse_qxl.c +++ b/server/red_parse_qxl.c @@ -361,7 +361,14 @@ static const int MAP_BITMAP_FMT_TO_BITS_PER_PIXEL[] = {0, 1, 1, 4, 4, 8, 16, 24, static int bitmap_consistent(SpiceBitmap *bitmap) { - int bpp = MAP_BITMAP_FMT_TO_BITS_PER_PIXEL[bitmap->format]; + int bpp; + + if (bitmap->format >= SPICE_N_ELEMENTS(MAP_BITMAP_FMT_TO_BITS_PER_PIXEL)) { + spice_warning("wrong format specified for image\n"); + return FALSE; + } + + bpp = MAP_BITMAP_FMT_TO_BITS_PER_PIXEL[bitmap->format]; if (bitmap->stride < ((bitmap->x * bpp + 7) / 8)) { spice_warning("image stride too small for width: %d < ((%d * %d + 7) / 8) (%s=%d)\n", |