import spice-gtk-0.37-1.el8

This commit is contained in:
CentOS Sources 2019-11-05 14:39:51 -05:00 committed by Andrew Lukoshko
parent 2633cc5127
commit 8a334aa6e5
7 changed files with 23 additions and 237 deletions

3
.gitignore vendored
View File

@ -1 +1,2 @@
SOURCES/spice-gtk-0.35.tar.bz2 SOURCES/spice-gtk-0.37.tar.bz2
SOURCES/victortoso-E37A484F.keyring

View File

@ -1 +1,2 @@
ce859f77e625928a147b7ae73e5af45166861d16 SOURCES/spice-gtk-0.35.tar.bz2 044a5266a613f2605f4f3f7359d7251b2141d203 SOURCES/spice-gtk-0.37.tar.bz2
da7a529db1ea28a1540c5892ea9836abeb378c3e SOURCES/victortoso-E37A484F.keyring

View File

@ -1,29 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Fri, 22 Dec 2017 18:43:00 +0000
Subject: [PATCH spice-common 1/2] lz: Avoid buffer reading overflow checking
for image type
The type of the image is just copied from network without
any check and later used for array indexing.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Uri Lublin <uril@redhat.com>
---
common/lz.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/spice-common/common/lz.c b/spice-common/common/lz.c
index 87c13db..2c5d5e2 100644
--- a/spice-common/common/lz.c
+++ b/spice-common/common/lz.c
@@ -593,6 +593,9 @@ void lz_decode_begin(LzContext *lz, uint8_t *io_ptr, unsigned int num_io_bytes,
}
encoder->type = (LzImageType)decode_32(encoder);
+ if (encoder->type <= LZ_IMAGE_TYPE_INVALID || encoder->type > LZ_IMAGE_TYPE_A8) {
+ encoder->usr->error(encoder->usr, "invalid lz type %d\n", encoder->type);
+ }
encoder->width = decode_32(encoder);
encoder->height = decode_32(encoder);
encoder->stride = decode_32(encoder);

View File

@ -1,121 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Mon, 25 Jun 2018 14:16:10 +0100
Subject: [PATCH spice-common 2/2] lz: More checks on image sizes
Extend sizes check also to decoding, actually the source data
decoding images should be less safe than encoding.
This avoids different integer overflows and buffer overflows.
To avoid potential issues images are limited to 1GB.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
---
common/lz.c | 68 ++++++++++++++++++++++++++++++++++++-----------------
1 file changed, 46 insertions(+), 22 deletions(-)
diff --git a/spice-common/common/lz.c b/spice-common/common/lz.c
index 2c5d5e2..167e118 100644
--- a/spice-common/common/lz.c
+++ b/spice-common/common/lz.c
@@ -53,6 +53,8 @@
#define HASH_SIZE (1 << HASH_LOG)
#define HASH_MASK (HASH_SIZE - 1)
+/* Maximum image size, mainly to avoid possible integer overflows */
+#define SPICE_MAX_IMAGE_SIZE (1024 * 1024 * 1024 - 1)
typedef struct LzImageSegment LzImageSegment;
struct LzImageSegment {
@@ -481,33 +483,53 @@ typedef uint16_t rgb16_pixel_t;
#undef LZ_UNEXPECT_CONDITIONAL
#undef LZ_EXPECT_CONDITIONAL
-int lz_encode(LzContext *lz, LzImageType type, int width, int height, int top_down,
- uint8_t *lines, unsigned int num_lines, int stride,
- uint8_t *io_ptr, unsigned int num_io_bytes)
+static void lz_set_sizes(Encoder *encoder, int type, int width, int height, int stride)
{
- Encoder *encoder = (Encoder *)lz;
- uint8_t *io_ptr_end = io_ptr + num_io_bytes;
-
- encoder->type = type;
- encoder->width = width;
- encoder->height = height;
- encoder->stride = stride;
+ if (width < 0) {
+ encoder->usr->error(encoder->usr, "invalid lz width %d\n", width);
+ }
+ if (height < 0) {
+ encoder->usr->error(encoder->usr, "invalid lz height %d\n", height);
+ }
+ if (stride < 0) {
+ encoder->usr->error(encoder->usr, "invalid lz stride %d\n", stride);
+ }
- if (IS_IMAGE_TYPE_PLT[encoder->type]) {
- if (encoder->stride > (width / PLT_PIXELS_PER_BYTE[encoder->type])) {
- if (((width % PLT_PIXELS_PER_BYTE[encoder->type]) == 0) || (
- (encoder->stride - (width / PLT_PIXELS_PER_BYTE[encoder->type])) > 1)) {
+ if (IS_IMAGE_TYPE_PLT[type]) {
+ if (stride > (width / PLT_PIXELS_PER_BYTE[type])) {
+ if (((width % PLT_PIXELS_PER_BYTE[type]) == 0) || (
+ (stride - (width / PLT_PIXELS_PER_BYTE[type])) > 1)) {
encoder->usr->error(encoder->usr, "stride overflows (plt)\n");
}
}
} else {
- if (encoder->stride != width * RGB_BYTES_PER_PIXEL[encoder->type]) {
+ if (stride != width * RGB_BYTES_PER_PIXEL[type]) {
encoder->usr->error(encoder->usr, "stride != width*bytes_per_pixel (rgb) %d != %d * %d (%d)\n",
- encoder->stride, width, RGB_BYTES_PER_PIXEL[encoder->type],
- encoder->type);
+ stride, width, RGB_BYTES_PER_PIXEL[type],
+ type);
}
}
+ // avoid too big images
+ if ((uint64_t) stride * height > SPICE_MAX_IMAGE_SIZE) {
+ encoder->usr->error(encoder->usr, "image too large\n");
+ }
+
+ encoder->type = type;
+ encoder->width = width;
+ encoder->height = height;
+ encoder->stride = stride;
+}
+
+int lz_encode(LzContext *lz, LzImageType type, int width, int height, int top_down,
+ uint8_t *lines, unsigned int num_lines, int stride,
+ uint8_t *io_ptr, unsigned int num_io_bytes)
+{
+ Encoder *encoder = (Encoder *)lz;
+ uint8_t *io_ptr_end = io_ptr + num_io_bytes;
+
+ lz_set_sizes(encoder, type, width, height, stride);
+
// assign the output buffer
if (!encoder_reset(encoder, io_ptr, io_ptr_end)) {
encoder->usr->error(encoder->usr, "lz encoder io reset failed\n");
@@ -592,13 +614,15 @@ void lz_decode_begin(LzContext *lz, uint8_t *io_ptr, unsigned int num_io_bytes,
encoder->usr->error(encoder->usr, "bad version\n");
}
- encoder->type = (LzImageType)decode_32(encoder);
- if (encoder->type <= LZ_IMAGE_TYPE_INVALID || encoder->type > LZ_IMAGE_TYPE_A8) {
+ int type = decode_32(encoder);
+ if (type <= LZ_IMAGE_TYPE_INVALID || type > LZ_IMAGE_TYPE_A8) {
encoder->usr->error(encoder->usr, "invalid lz type %d\n", encoder->type);
}
- encoder->width = decode_32(encoder);
- encoder->height = decode_32(encoder);
- encoder->stride = decode_32(encoder);
+ int width = decode_32(encoder);
+ int height = decode_32(encoder);
+ int stride = decode_32(encoder);
+ lz_set_sizes(encoder, type, width, height, stride);
+
*out_top_down = decode_32(encoder);
*out_width = encoder->width;

View File

@ -1,72 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Wed, 27 Jun 2018 10:55:05 +0100
Subject: [PATCH spice-common] canvas_base: Check for overflows decoding LZ4
Check that we have enough data before reading.
This could lead to read buffer overflows being undetected.
This is not a security issue, read happens only in the client not causing
any information leakage, maximum can generate a crash or some garbage on
the screen.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Jonathon Jongsma <jjongsma@redhat.com>
---
common/canvas_base.c | 24 ++++++++++++++++++++----
1 file changed, 20 insertions(+), 4 deletions(-)
diff --git a/spice-common/common/canvas_base.c b/spice-common/common/canvas_base.c
index 2fd60aa..3283e88 100644
--- a/spice-common/common/canvas_base.c
+++ b/spice-common/common/canvas_base.c
@@ -537,6 +537,10 @@ static pixman_image_t *canvas_get_lz4(CanvasBase *canvas, SpiceImage *image)
width = image->descriptor.width;
stride_encoded = width;
height = image->descriptor.height;
+ if (data + 2 > data_end) {
+ g_warning("missing header in LZ4 data");
+ return NULL;
+ }
top_down = *(data++);
spice_format = *(data++);
switch (spice_format) {
@@ -579,16 +583,22 @@ static pixman_image_t *canvas_get_lz4(CanvasBase *canvas, SpiceImage *image)
bits = dest;
do {
+ if (data + 4 > data_end) {
+ goto format_error;
+ }
// Read next compressed block
enc_size = ntohl(*SPICE_UNALIGNED_CAST(uint32_t *, data));
data += 4;
+ /* check overflow. This check is a bit different to avoid
+ * possible overflows. From previous check data_end - data cannot overflow.
+ * Computing data + enc_size on 32 bit could cause overflows. */
+ if (enc_size < 0 || data_end - data < (unsigned int) enc_size) {
+ goto format_error;
+ }
dec_size = LZ4_decompress_safe_continue(stream, (const char *) data,
(char *) dest, enc_size, available);
if (dec_size <= 0) {
- spice_warning("Error decoding LZ4 block\n");
- pixman_image_unref(surface);
- surface = NULL;
- break;
+ goto format_error;
}
dest += dec_size;
available -= dec_size;
@@ -599,6 +609,12 @@ static pixman_image_t *canvas_get_lz4(CanvasBase *canvas, SpiceImage *image)
LZ4_freeStreamDecode(stream);
return surface;
+
+format_error:
+ spice_warning("Error decoding LZ4 block\n");
+ LZ4_freeStreamDecode(stream);
+ pixman_image_unref(surface);
+ return NULL;
}
#endif

Binary file not shown.

View File

@ -1,24 +1,23 @@
#define _version_suffix #define _version_suffix
Name: spice-gtk Name: spice-gtk
Version: 0.35 Version: 0.37
Release: 7%{?dist} Release: 1%{?dist}
Summary: A GTK+ widget for SPICE clients Summary: A GTK+ widget for SPICE clients
Group: System Environment/Libraries Group: System Environment/Libraries
License: LGPLv2+ License: LGPLv2+
URL: http://spice-space.org/page/Spice-Gtk URL: http://spice-space.org/page/Spice-Gtk
#VCS: git:git://anongit.freedesktop.org/spice/spice-gtk #VCS: git:git://anongit.freedesktop.org/spice/spice-gtk
Source0: http://www.spice-space.org/download/gtk/%{name}-%{version}%{?_version_suffix}.tar.bz2 Source0: https://www.spice-space.org/download/gtk/%{name}-%{version}%{?_version_suffix}.tar.bz2
Source1: https://www.spice-space.org/download/gtk/%{name}-%{version}%{?_version_suffix}.tar.bz2.sig
Patch0001: 0001-lz-Avoid-buffer-reading-overflow-checking-for-image-.patch Source2: victortoso-E37A484F.keyring
Patch0002: 0002-lz-More-checks-on-image-sizes.patch
Patch0003: 0003-canvas_base-Check-for-overflows-decoding-LZ4.patch
BuildRequires: git-core BuildRequires: git-core
BuildRequires: gnupg2
BuildRequires: intltool BuildRequires: intltool
BuildRequires: usbredir-devel >= 0.5.2 BuildRequires: usbredir-devel >= 0.7.1
BuildRequires: libusb1-devel >= 1.0.9 BuildRequires: libusb1-devel >= 1.0.16
BuildRequires: libgudev1-devel BuildRequires: libgudev1-devel
BuildRequires: pixman-devel libjpeg-turbo-devel BuildRequires: pixman-devel libjpeg-turbo-devel
BuildRequires: celt051-devel pulseaudio-libs-devel opus-devel BuildRequires: celt051-devel pulseaudio-libs-devel opus-devel
@ -34,8 +33,9 @@ BuildRequires: usbutils
BuildRequires: libsoup-devel >= 2.49.91 BuildRequires: libsoup-devel >= 2.49.91
BuildRequires: lz4-devel BuildRequires: lz4-devel
BuildRequires: gtk3-devel BuildRequires: gtk3-devel
BuildRequires: spice-protocol >= 0.12.14 BuildRequires: json-glib-devel
BuildRequires: gstreamer1-devel gstreamer1-plugins-base-devel BuildRequires: spice-protocol >= 0.14.0
BuildRequires: gstreamer1-devel >= 1.10.0 gstreamer1-plugins-base-devel >= 1.10.0
BuildRequires: python3-devel BuildRequires: python3-devel
Obsoletes: spice-gtk-python < 0.32 Obsoletes: spice-gtk-python < 0.32
@ -109,6 +109,7 @@ spicy-screenshot is a tool to capture screen-shots of a SPICE desktop.
%prep %prep
gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
%autosetup -S git_am %autosetup -S git_am
%build %build
@ -140,8 +141,8 @@ rm -f %{buildroot}%{_libdir}/*.la
%files %files
%doc AUTHORS %doc AUTHORS
%doc COPYING %doc COPYING
%doc README %doc README.md
%doc NEWS %doc CHANGELOG.md
%{_mandir}/man1/spice-client.1* %{_mandir}/man1/spice-client.1*
%files -n spice-glib -f %{name}.lang %files -n spice-glib -f %{name}.lang
@ -180,6 +181,11 @@ rm -f %{buildroot}%{_libdir}/*.la
%{_bindir}/spicy-stats %{_bindir}/spicy-stats
%changelog %changelog
* Fri May 17 2019 Victor Toso <victortoso@redhat.com> - 0.37-1
- Update to 0.37
Resolves: rhbz#1711370
- Use gpg to check that tarball matches upstream release
* Fri Oct 12 2018 Frediano Ziglio <fziglio@redhat.com> - 0.35-7 * Fri Oct 12 2018 Frediano Ziglio <fziglio@redhat.com> - 0.35-7
- Check for overflows decoding LZ4 - Check for overflows decoding LZ4
Resolves: rhbz#1598242 Resolves: rhbz#1598242