Backport of: From 7baa8c39757b46a834e20198e4b18e9f1752e20e Mon Sep 17 00:00:00 2001 From: Frediano Ziglio <fziglio@redhat.com> Date: Tue, 8 Sep 2015 13:09:35 +0100 Subject: [PATCH 45/57] Prevent 32 bit integer overflow in bitmap_consistent The overflow may lead to buffer overflow as the row size computed from width (bitmap->x) can be bigger than the size in bytes (bitmap->stride). This can make spice-server accept the invalid sizes. Signed-off-by: Frediano Ziglio <fziglio@redhat.com> Acked-by: Christophe Fergeau <cfergeau@redhat.com> --- server/red_parse_qxl.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) Index: spice-0.12.5/server/red_parse_qxl.c =================================================================== --- spice-0.12.5.orig/server/red_parse_qxl.c 2015-10-01 07:16:35.634535695 -0400 +++ spice-0.12.5/server/red_parse_qxl.c 2015-10-01 07:17:24.034145739 -0400 @@ -357,11 +357,12 @@ return "unknown"; } -static const int MAP_BITMAP_FMT_TO_BITS_PER_PIXEL[] = {0, 1, 1, 4, 4, 8, 16, 24, 32, 32, 8}; +static const unsigned int MAP_BITMAP_FMT_TO_BITS_PER_PIXEL[] = + {0, 1, 1, 4, 4, 8, 16, 24, 32, 32, 8}; static int bitmap_consistent(SpiceBitmap *bitmap) { - int bpp; + unsigned int bpp; if (bitmap->format >= SPICE_N_ELEMENTS(MAP_BITMAP_FMT_TO_BITS_PER_PIXEL)) { spice_warning("wrong format specified for image\n"); @@ -370,7 +371,7 @@ bpp = MAP_BITMAP_FMT_TO_BITS_PER_PIXEL[bitmap->format]; - if (bitmap->stride < ((bitmap->x * bpp + 7) / 8)) { + if (bitmap->stride < (((uint64_t) bitmap->x * bpp + 7u) / 8u)) { spice_warning("image stride too small for width: %d < ((%d * %d + 7) / 8) (%s=%d)\n", bitmap->stride, bitmap->x, bpp, bitmap_format_to_string(bitmap->format),