49 lines
1.7 KiB
Diff
49 lines
1.7 KiB
Diff
From 19cd6fe85610b424349db2d97e2dd0e2761a4a05 Mon Sep 17 00:00:00 2001
|
|
From: Frediano Ziglio <freddy77@gmail.com>
|
|
Date: Wed, 29 Apr 2020 15:10:24 +0100
|
|
Subject: [PATCH spice-common 2/4] quic: Check image size in quic_decode_begin
|
|
|
|
Avoid some overflow in code due to images too big or
|
|
negative numbers.
|
|
|
|
Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
|
|
Acked-by: Uri Lublin <uril@redhat.com>
|
|
---
|
|
common/quic.c | 13 +++++++++++++
|
|
1 file changed, 13 insertions(+)
|
|
|
|
diff --git a/subprojects/spice-common/common/quic.c b/subprojects/spice-common/common/quic.c
|
|
index e03f3af..890f128 100644
|
|
--- a/subprojects/spice-common/common/quic.c
|
|
+++ b/subprojects/spice-common/common/quic.c
|
|
@@ -56,6 +56,9 @@ typedef uint8_t BYTE;
|
|
#define MINwminext 1
|
|
#define MAXwminext 100000000
|
|
|
|
+/* Maximum image size in pixels, mainly to avoid possible integer overflows */
|
|
+#define SPICE_MAX_IMAGE_SIZE (512 * 1024 * 1024 - 1)
|
|
+
|
|
typedef struct QuicFamily {
|
|
unsigned int nGRcodewords[MAXNUMCODES]; /* indexed by code number, contains number of
|
|
unmodified GR codewords in the code */
|
|
@@ -1165,6 +1168,16 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w
|
|
height = encoder->io_word;
|
|
decode_eat32bits(encoder);
|
|
|
|
+ if (width <= 0 || height <= 0) {
|
|
+ encoder->usr->warn(encoder->usr, "invalid size\n");
|
|
+ return QUIC_ERROR;
|
|
+ }
|
|
+
|
|
+ /* avoid too big images */
|
|
+ if ((uint64_t) width * height > SPICE_MAX_IMAGE_SIZE) {
|
|
+ encoder->usr->error(encoder->usr, "image too large\n");
|
|
+ }
|
|
+
|
|
quic_image_params(encoder, type, &channels, &bpc);
|
|
|
|
if (!encoder_reset_channels(encoder, channels, width, bpc)) {
|
|
--
|
|
2.25.4
|
|
|