import spice-gtk-0.37-1.el8
This commit is contained in:
parent
2633cc5127
commit
8a334aa6e5
3
.gitignore
vendored
3
.gitignore
vendored
@ -1 +1,2 @@
|
|||||||
SOURCES/spice-gtk-0.35.tar.bz2
|
SOURCES/spice-gtk-0.37.tar.bz2
|
||||||
|
SOURCES/victortoso-E37A484F.keyring
|
||||||
|
@ -1 +1,2 @@
|
|||||||
ce859f77e625928a147b7ae73e5af45166861d16 SOURCES/spice-gtk-0.35.tar.bz2
|
044a5266a613f2605f4f3f7359d7251b2141d203 SOURCES/spice-gtk-0.37.tar.bz2
|
||||||
|
da7a529db1ea28a1540c5892ea9836abeb378c3e SOURCES/victortoso-E37A484F.keyring
|
||||||
|
@ -1,29 +0,0 @@
|
|||||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Frediano Ziglio <fziglio@redhat.com>
|
|
||||||
Date: Fri, 22 Dec 2017 18:43:00 +0000
|
|
||||||
Subject: [PATCH spice-common 1/2] lz: Avoid buffer reading overflow checking
|
|
||||||
for image type
|
|
||||||
|
|
||||||
The type of the image is just copied from network without
|
|
||||||
any check and later used for array indexing.
|
|
||||||
|
|
||||||
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
|
|
||||||
Acked-by: Uri Lublin <uril@redhat.com>
|
|
||||||
---
|
|
||||||
common/lz.c | 3 +++
|
|
||||||
1 file changed, 3 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/spice-common/common/lz.c b/spice-common/common/lz.c
|
|
||||||
index 87c13db..2c5d5e2 100644
|
|
||||||
--- a/spice-common/common/lz.c
|
|
||||||
+++ b/spice-common/common/lz.c
|
|
||||||
@@ -593,6 +593,9 @@ void lz_decode_begin(LzContext *lz, uint8_t *io_ptr, unsigned int num_io_bytes,
|
|
||||||
}
|
|
||||||
|
|
||||||
encoder->type = (LzImageType)decode_32(encoder);
|
|
||||||
+ if (encoder->type <= LZ_IMAGE_TYPE_INVALID || encoder->type > LZ_IMAGE_TYPE_A8) {
|
|
||||||
+ encoder->usr->error(encoder->usr, "invalid lz type %d\n", encoder->type);
|
|
||||||
+ }
|
|
||||||
encoder->width = decode_32(encoder);
|
|
||||||
encoder->height = decode_32(encoder);
|
|
||||||
encoder->stride = decode_32(encoder);
|
|
@ -1,121 +0,0 @@
|
|||||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Frediano Ziglio <fziglio@redhat.com>
|
|
||||||
Date: Mon, 25 Jun 2018 14:16:10 +0100
|
|
||||||
Subject: [PATCH spice-common 2/2] lz: More checks on image sizes
|
|
||||||
|
|
||||||
Extend sizes check also to decoding, actually the source data
|
|
||||||
decoding images should be less safe than encoding.
|
|
||||||
This avoids different integer overflows and buffer overflows.
|
|
||||||
To avoid potential issues images are limited to 1GB.
|
|
||||||
|
|
||||||
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
|
|
||||||
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
|
|
||||||
---
|
|
||||||
common/lz.c | 68 ++++++++++++++++++++++++++++++++++++-----------------
|
|
||||||
1 file changed, 46 insertions(+), 22 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/spice-common/common/lz.c b/spice-common/common/lz.c
|
|
||||||
index 2c5d5e2..167e118 100644
|
|
||||||
--- a/spice-common/common/lz.c
|
|
||||||
+++ b/spice-common/common/lz.c
|
|
||||||
@@ -53,6 +53,8 @@
|
|
||||||
#define HASH_SIZE (1 << HASH_LOG)
|
|
||||||
#define HASH_MASK (HASH_SIZE - 1)
|
|
||||||
|
|
||||||
+/* Maximum image size, mainly to avoid possible integer overflows */
|
|
||||||
+#define SPICE_MAX_IMAGE_SIZE (1024 * 1024 * 1024 - 1)
|
|
||||||
|
|
||||||
typedef struct LzImageSegment LzImageSegment;
|
|
||||||
struct LzImageSegment {
|
|
||||||
@@ -481,33 +483,53 @@ typedef uint16_t rgb16_pixel_t;
|
|
||||||
#undef LZ_UNEXPECT_CONDITIONAL
|
|
||||||
#undef LZ_EXPECT_CONDITIONAL
|
|
||||||
|
|
||||||
-int lz_encode(LzContext *lz, LzImageType type, int width, int height, int top_down,
|
|
||||||
- uint8_t *lines, unsigned int num_lines, int stride,
|
|
||||||
- uint8_t *io_ptr, unsigned int num_io_bytes)
|
|
||||||
+static void lz_set_sizes(Encoder *encoder, int type, int width, int height, int stride)
|
|
||||||
{
|
|
||||||
- Encoder *encoder = (Encoder *)lz;
|
|
||||||
- uint8_t *io_ptr_end = io_ptr + num_io_bytes;
|
|
||||||
-
|
|
||||||
- encoder->type = type;
|
|
||||||
- encoder->width = width;
|
|
||||||
- encoder->height = height;
|
|
||||||
- encoder->stride = stride;
|
|
||||||
+ if (width < 0) {
|
|
||||||
+ encoder->usr->error(encoder->usr, "invalid lz width %d\n", width);
|
|
||||||
+ }
|
|
||||||
+ if (height < 0) {
|
|
||||||
+ encoder->usr->error(encoder->usr, "invalid lz height %d\n", height);
|
|
||||||
+ }
|
|
||||||
+ if (stride < 0) {
|
|
||||||
+ encoder->usr->error(encoder->usr, "invalid lz stride %d\n", stride);
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- if (IS_IMAGE_TYPE_PLT[encoder->type]) {
|
|
||||||
- if (encoder->stride > (width / PLT_PIXELS_PER_BYTE[encoder->type])) {
|
|
||||||
- if (((width % PLT_PIXELS_PER_BYTE[encoder->type]) == 0) || (
|
|
||||||
- (encoder->stride - (width / PLT_PIXELS_PER_BYTE[encoder->type])) > 1)) {
|
|
||||||
+ if (IS_IMAGE_TYPE_PLT[type]) {
|
|
||||||
+ if (stride > (width / PLT_PIXELS_PER_BYTE[type])) {
|
|
||||||
+ if (((width % PLT_PIXELS_PER_BYTE[type]) == 0) || (
|
|
||||||
+ (stride - (width / PLT_PIXELS_PER_BYTE[type])) > 1)) {
|
|
||||||
encoder->usr->error(encoder->usr, "stride overflows (plt)\n");
|
|
||||||
}
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
- if (encoder->stride != width * RGB_BYTES_PER_PIXEL[encoder->type]) {
|
|
||||||
+ if (stride != width * RGB_BYTES_PER_PIXEL[type]) {
|
|
||||||
encoder->usr->error(encoder->usr, "stride != width*bytes_per_pixel (rgb) %d != %d * %d (%d)\n",
|
|
||||||
- encoder->stride, width, RGB_BYTES_PER_PIXEL[encoder->type],
|
|
||||||
- encoder->type);
|
|
||||||
+ stride, width, RGB_BYTES_PER_PIXEL[type],
|
|
||||||
+ type);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ // avoid too big images
|
|
||||||
+ if ((uint64_t) stride * height > SPICE_MAX_IMAGE_SIZE) {
|
|
||||||
+ encoder->usr->error(encoder->usr, "image too large\n");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ encoder->type = type;
|
|
||||||
+ encoder->width = width;
|
|
||||||
+ encoder->height = height;
|
|
||||||
+ encoder->stride = stride;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int lz_encode(LzContext *lz, LzImageType type, int width, int height, int top_down,
|
|
||||||
+ uint8_t *lines, unsigned int num_lines, int stride,
|
|
||||||
+ uint8_t *io_ptr, unsigned int num_io_bytes)
|
|
||||||
+{
|
|
||||||
+ Encoder *encoder = (Encoder *)lz;
|
|
||||||
+ uint8_t *io_ptr_end = io_ptr + num_io_bytes;
|
|
||||||
+
|
|
||||||
+ lz_set_sizes(encoder, type, width, height, stride);
|
|
||||||
+
|
|
||||||
// assign the output buffer
|
|
||||||
if (!encoder_reset(encoder, io_ptr, io_ptr_end)) {
|
|
||||||
encoder->usr->error(encoder->usr, "lz encoder io reset failed\n");
|
|
||||||
@@ -592,13 +614,15 @@ void lz_decode_begin(LzContext *lz, uint8_t *io_ptr, unsigned int num_io_bytes,
|
|
||||||
encoder->usr->error(encoder->usr, "bad version\n");
|
|
||||||
}
|
|
||||||
|
|
||||||
- encoder->type = (LzImageType)decode_32(encoder);
|
|
||||||
- if (encoder->type <= LZ_IMAGE_TYPE_INVALID || encoder->type > LZ_IMAGE_TYPE_A8) {
|
|
||||||
+ int type = decode_32(encoder);
|
|
||||||
+ if (type <= LZ_IMAGE_TYPE_INVALID || type > LZ_IMAGE_TYPE_A8) {
|
|
||||||
encoder->usr->error(encoder->usr, "invalid lz type %d\n", encoder->type);
|
|
||||||
}
|
|
||||||
- encoder->width = decode_32(encoder);
|
|
||||||
- encoder->height = decode_32(encoder);
|
|
||||||
- encoder->stride = decode_32(encoder);
|
|
||||||
+ int width = decode_32(encoder);
|
|
||||||
+ int height = decode_32(encoder);
|
|
||||||
+ int stride = decode_32(encoder);
|
|
||||||
+ lz_set_sizes(encoder, type, width, height, stride);
|
|
||||||
+
|
|
||||||
*out_top_down = decode_32(encoder);
|
|
||||||
|
|
||||||
*out_width = encoder->width;
|
|
@ -1,72 +0,0 @@
|
|||||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Frediano Ziglio <fziglio@redhat.com>
|
|
||||||
Date: Wed, 27 Jun 2018 10:55:05 +0100
|
|
||||||
Subject: [PATCH spice-common] canvas_base: Check for overflows decoding LZ4
|
|
||||||
|
|
||||||
Check that we have enough data before reading.
|
|
||||||
This could lead to read buffer overflows being undetected.
|
|
||||||
This is not a security issue, read happens only in the client not causing
|
|
||||||
any information leakage, maximum can generate a crash or some garbage on
|
|
||||||
the screen.
|
|
||||||
|
|
||||||
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
|
|
||||||
Acked-by: Jonathon Jongsma <jjongsma@redhat.com>
|
|
||||||
---
|
|
||||||
common/canvas_base.c | 24 ++++++++++++++++++++----
|
|
||||||
1 file changed, 20 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/spice-common/common/canvas_base.c b/spice-common/common/canvas_base.c
|
|
||||||
index 2fd60aa..3283e88 100644
|
|
||||||
--- a/spice-common/common/canvas_base.c
|
|
||||||
+++ b/spice-common/common/canvas_base.c
|
|
||||||
@@ -537,6 +537,10 @@ static pixman_image_t *canvas_get_lz4(CanvasBase *canvas, SpiceImage *image)
|
|
||||||
width = image->descriptor.width;
|
|
||||||
stride_encoded = width;
|
|
||||||
height = image->descriptor.height;
|
|
||||||
+ if (data + 2 > data_end) {
|
|
||||||
+ g_warning("missing header in LZ4 data");
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
top_down = *(data++);
|
|
||||||
spice_format = *(data++);
|
|
||||||
switch (spice_format) {
|
|
||||||
@@ -579,16 +583,22 @@ static pixman_image_t *canvas_get_lz4(CanvasBase *canvas, SpiceImage *image)
|
|
||||||
bits = dest;
|
|
||||||
|
|
||||||
do {
|
|
||||||
+ if (data + 4 > data_end) {
|
|
||||||
+ goto format_error;
|
|
||||||
+ }
|
|
||||||
// Read next compressed block
|
|
||||||
enc_size = ntohl(*SPICE_UNALIGNED_CAST(uint32_t *, data));
|
|
||||||
data += 4;
|
|
||||||
+ /* check overflow. This check is a bit different to avoid
|
|
||||||
+ * possible overflows. From previous check data_end - data cannot overflow.
|
|
||||||
+ * Computing data + enc_size on 32 bit could cause overflows. */
|
|
||||||
+ if (enc_size < 0 || data_end - data < (unsigned int) enc_size) {
|
|
||||||
+ goto format_error;
|
|
||||||
+ }
|
|
||||||
dec_size = LZ4_decompress_safe_continue(stream, (const char *) data,
|
|
||||||
(char *) dest, enc_size, available);
|
|
||||||
if (dec_size <= 0) {
|
|
||||||
- spice_warning("Error decoding LZ4 block\n");
|
|
||||||
- pixman_image_unref(surface);
|
|
||||||
- surface = NULL;
|
|
||||||
- break;
|
|
||||||
+ goto format_error;
|
|
||||||
}
|
|
||||||
dest += dec_size;
|
|
||||||
available -= dec_size;
|
|
||||||
@@ -599,6 +609,12 @@ static pixman_image_t *canvas_get_lz4(CanvasBase *canvas, SpiceImage *image)
|
|
||||||
|
|
||||||
LZ4_freeStreamDecode(stream);
|
|
||||||
return surface;
|
|
||||||
+
|
|
||||||
+format_error:
|
|
||||||
+ spice_warning("Error decoding LZ4 block\n");
|
|
||||||
+ LZ4_freeStreamDecode(stream);
|
|
||||||
+ pixman_image_unref(surface);
|
|
||||||
+ return NULL;
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
BIN
SOURCES/spice-gtk-0.37.tar.bz2.sig
Normal file
BIN
SOURCES/spice-gtk-0.37.tar.bz2.sig
Normal file
Binary file not shown.
@ -1,24 +1,23 @@
|
|||||||
#define _version_suffix
|
#define _version_suffix
|
||||||
|
|
||||||
Name: spice-gtk
|
Name: spice-gtk
|
||||||
Version: 0.35
|
Version: 0.37
|
||||||
Release: 7%{?dist}
|
Release: 1%{?dist}
|
||||||
Summary: A GTK+ widget for SPICE clients
|
Summary: A GTK+ widget for SPICE clients
|
||||||
|
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
URL: http://spice-space.org/page/Spice-Gtk
|
URL: http://spice-space.org/page/Spice-Gtk
|
||||||
#VCS: git:git://anongit.freedesktop.org/spice/spice-gtk
|
#VCS: git:git://anongit.freedesktop.org/spice/spice-gtk
|
||||||
Source0: http://www.spice-space.org/download/gtk/%{name}-%{version}%{?_version_suffix}.tar.bz2
|
Source0: https://www.spice-space.org/download/gtk/%{name}-%{version}%{?_version_suffix}.tar.bz2
|
||||||
|
Source1: https://www.spice-space.org/download/gtk/%{name}-%{version}%{?_version_suffix}.tar.bz2.sig
|
||||||
Patch0001: 0001-lz-Avoid-buffer-reading-overflow-checking-for-image-.patch
|
Source2: victortoso-E37A484F.keyring
|
||||||
Patch0002: 0002-lz-More-checks-on-image-sizes.patch
|
|
||||||
Patch0003: 0003-canvas_base-Check-for-overflows-decoding-LZ4.patch
|
|
||||||
|
|
||||||
BuildRequires: git-core
|
BuildRequires: git-core
|
||||||
|
BuildRequires: gnupg2
|
||||||
BuildRequires: intltool
|
BuildRequires: intltool
|
||||||
BuildRequires: usbredir-devel >= 0.5.2
|
BuildRequires: usbredir-devel >= 0.7.1
|
||||||
BuildRequires: libusb1-devel >= 1.0.9
|
BuildRequires: libusb1-devel >= 1.0.16
|
||||||
BuildRequires: libgudev1-devel
|
BuildRequires: libgudev1-devel
|
||||||
BuildRequires: pixman-devel libjpeg-turbo-devel
|
BuildRequires: pixman-devel libjpeg-turbo-devel
|
||||||
BuildRequires: celt051-devel pulseaudio-libs-devel opus-devel
|
BuildRequires: celt051-devel pulseaudio-libs-devel opus-devel
|
||||||
@ -34,8 +33,9 @@ BuildRequires: usbutils
|
|||||||
BuildRequires: libsoup-devel >= 2.49.91
|
BuildRequires: libsoup-devel >= 2.49.91
|
||||||
BuildRequires: lz4-devel
|
BuildRequires: lz4-devel
|
||||||
BuildRequires: gtk3-devel
|
BuildRequires: gtk3-devel
|
||||||
BuildRequires: spice-protocol >= 0.12.14
|
BuildRequires: json-glib-devel
|
||||||
BuildRequires: gstreamer1-devel gstreamer1-plugins-base-devel
|
BuildRequires: spice-protocol >= 0.14.0
|
||||||
|
BuildRequires: gstreamer1-devel >= 1.10.0 gstreamer1-plugins-base-devel >= 1.10.0
|
||||||
BuildRequires: python3-devel
|
BuildRequires: python3-devel
|
||||||
Obsoletes: spice-gtk-python < 0.32
|
Obsoletes: spice-gtk-python < 0.32
|
||||||
|
|
||||||
@ -109,6 +109,7 @@ spicy-screenshot is a tool to capture screen-shots of a SPICE desktop.
|
|||||||
|
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
|
gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
|
||||||
%autosetup -S git_am
|
%autosetup -S git_am
|
||||||
|
|
||||||
%build
|
%build
|
||||||
@ -140,8 +141,8 @@ rm -f %{buildroot}%{_libdir}/*.la
|
|||||||
%files
|
%files
|
||||||
%doc AUTHORS
|
%doc AUTHORS
|
||||||
%doc COPYING
|
%doc COPYING
|
||||||
%doc README
|
%doc README.md
|
||||||
%doc NEWS
|
%doc CHANGELOG.md
|
||||||
%{_mandir}/man1/spice-client.1*
|
%{_mandir}/man1/spice-client.1*
|
||||||
|
|
||||||
%files -n spice-glib -f %{name}.lang
|
%files -n spice-glib -f %{name}.lang
|
||||||
@ -180,6 +181,11 @@ rm -f %{buildroot}%{_libdir}/*.la
|
|||||||
%{_bindir}/spicy-stats
|
%{_bindir}/spicy-stats
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri May 17 2019 Victor Toso <victortoso@redhat.com> - 0.37-1
|
||||||
|
- Update to 0.37
|
||||||
|
Resolves: rhbz#1711370
|
||||||
|
- Use gpg to check that tarball matches upstream release
|
||||||
|
|
||||||
* Fri Oct 12 2018 Frediano Ziglio <fziglio@redhat.com> - 0.35-7
|
* Fri Oct 12 2018 Frediano Ziglio <fziglio@redhat.com> - 0.35-7
|
||||||
- Check for overflows decoding LZ4
|
- Check for overflows decoding LZ4
|
||||||
Resolves: rhbz#1598242
|
Resolves: rhbz#1598242
|
||||||
|
Loading…
Reference in New Issue
Block a user