Sophie

Sophie

distrib > Mageia > 5 > x86_64 > by-pkgid > 7c27404001267d5176a1f95150f7f277 > files > 15

spice-0.12.5-2.4.mga5.src.rpm

From 289301f33c7da81fcb034448d96e8c276b4fc06a Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Tue, 15 Sep 2015 16:25:17 +0100
Subject: [PATCH 54/57] Make sure we can read QXLPathSeg structures

start pointer points to a QXLPathSeg structure.
Before reading from the structure, make sure the structure is contained
in the memory range checked.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
---
 server/red_parse_qxl.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c
index 668ce10..4663bfd 100644
--- a/server/red_parse_qxl.c
+++ b/server/red_parse_qxl.c
@@ -256,7 +256,7 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id,
 
     start = (QXLPathSeg*)data;
     end = (QXLPathSeg*)(data + size);
-    while (start < end) {
+    while (start+1 < end) {
         n_segments++;
         count = start->count;
         segment_size = sizeof(SpicePathSeg) + count * sizeof(SpicePointFix);
@@ -272,7 +272,7 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id,
     seg = (SpicePathSeg*)&red->segments[n_segments];
     n_segments = 0;
     mem_size2 = sizeof(*red);
-    while (start < end) {
+    while (start+1 < end) {
         red->segments[n_segments++] = seg;
         count = start->count;
 
-- 
2.4.3