From 18087073df84885642d9b0b1efd0e86e18409bbe Mon Sep 17 00:00:00 2001 From: Frediano Ziglio <fziglio@redhat.com> Date: Tue, 8 Sep 2015 10:00:37 +0100 Subject: [PATCH 44/57] Fix buffer reading overflow Not security risk as just for read. However, this could be used to attempt integer overflows in the following lines. Signed-off-by: Frediano Ziglio <fziglio@redhat.com> Acked-by: Christophe Fergeau <cfergeau@redhat.com> --- server/red_parse_qxl.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) Index: spice-0.12.5/server/red_parse_qxl.c =================================================================== --- spice-0.12.5.orig/server/red_parse_qxl.c 2015-10-01 07:15:58.094838178 -0400 +++ spice-0.12.5/server/red_parse_qxl.c 2015-10-01 07:15:58.094838178 -0400 @@ -361,7 +361,14 @@ static int bitmap_consistent(SpiceBitmap *bitmap) { - int bpp = MAP_BITMAP_FMT_TO_BITS_PER_PIXEL[bitmap->format]; + int bpp; + + if (bitmap->format >= SPICE_N_ELEMENTS(MAP_BITMAP_FMT_TO_BITS_PER_PIXEL)) { + spice_warning("wrong format specified for image\n"); + return FALSE; + } + + bpp = MAP_BITMAP_FMT_TO_BITS_PER_PIXEL[bitmap->format]; if (bitmap->stride < ((bitmap->x * bpp + 7) / 8)) { spice_warning("image stride too small for width: %d < ((%d * %d + 7) / 8) (%s=%d)\n",