calculate
/
gentoo-overlay
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'b449bdcf46'
${ noResults }
gentoo-overlay/app-emulation/spice/files/0.13.1-CVE-2016-2150-p1.patch

110 lines
4.0 KiB
Raw Blame History

From fc06265c3780e05503410a6646d1434e15d25b03 Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Mon, 29 Feb 2016 14:24:03 +0000
Subject: [PATCH 1/2] factor out red_validate_surface function to validate
surface parameters
Make possible to reuse it outside red-parse-qxl.c.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
---
server/red-parse-qxl.c | 49 ++++++++++++++++++++++++++++++++-----------------
server/red-parse-qxl.h | 3 +++
2 files changed, 35 insertions(+), 17 deletions(-)
diff --git a/server/red-parse-qxl.c b/server/red-parse-qxl.c
index 18b7ea6..b462311 100644
--- a/server/red-parse-qxl.c
+++ b/server/red-parse-qxl.c
@@ -1327,13 +1327,41 @@ static unsigned int surface_format_to_bpp(uint32_t format)
return 0;
}
+bool red_validate_surface(uint32_t width, uint32_t height,
+ int32_t stride, uint32_t format)
+{
+ unsigned int bpp;
+ uint64_t size;
+
+ bpp = surface_format_to_bpp(format);
+
+ /* check if format is valid */
+ if (!bpp) {
+ return false;
+ }
+
+ /* check stride is larger than required bytes */
+ size = ((uint64_t) width * bpp + 7u) / 8u;
+ /* the uint32_t conversion is here to avoid problems with -2^31 value */
+ if (stride == G_MININT32 || size > (uint32_t) abs(stride)) {
+ return false;
+ }
+
+ /* the multiplication can overflow, also abs(-2^31) may return a negative value */
+ size = (uint64_t) height * abs(stride);
+ if (size > MAX_DATA_CHUNK) {
+ return false;
+ }
+
+ return true;
+}
+
int red_get_surface_cmd(RedMemSlotInfo *slots, int group_id,
RedSurfaceCmd *red, QXLPHYSICAL addr)
{
QXLSurfaceCmd *qxl;
uint64_t size;
int error;
- unsigned int bpp;
qxl = (QXLSurfaceCmd *)memslot_get_virt(slots, addr, sizeof(*qxl), group_id,
&error);
@@ -1353,26 +1381,13 @@ int red_get_surface_cmd(RedMemSlotInfo *slots, int group_id,
red->u.surface_create.width = qxl->u.surface_create.width;
red->u.surface_create.height = qxl->u.surface_create.height;
red->u.surface_create.stride = qxl->u.surface_create.stride;
- bpp = surface_format_to_bpp(red->u.surface_create.format);
- /* check if format is valid */
- if (!bpp) {
+ if (!red_validate_surface(red->u.surface_create.width, red->u.surface_create.height,
+ red->u.surface_create.stride, red->u.surface_create.format)) {
return 1;
}
- /* check stride is larger than required bytes */
- size = ((uint64_t) red->u.surface_create.width * bpp + 7u) / 8u;
- /* the uint32_t conversion is here to avoid problems with -2^31 value */
- if (red->u.surface_create.stride == G_MININT32
- || size > (uint32_t) abs(red->u.surface_create.stride)) {
- return 1;
- }
-
- /* the multiplication can overflow, also abs(-2^31) may return a negative value */
- size = (uint64_t) red->u.surface_create.height * abs(red->u.surface_create.stride);
- if (size > MAX_DATA_CHUNK) {
- return 1;
- }
+ size = red->u.surface_create.height * abs(red->u.surface_create.stride);
red->u.surface_create.data =
(uint8_t*)memslot_get_virt(slots, qxl->u.surface_create.data, size, group_id, &error);
if (error) {
diff --git a/server/red-parse-qxl.h b/server/red-parse-qxl.h
index 9c30572..72a57b4 100644
--- a/server/red-parse-qxl.h
+++ b/server/red-parse-qxl.h
@@ -127,6 +127,9 @@ int red_get_message(RedMemSlotInfo *slots, int group_id,
RedMessage *red, QXLPHYSICAL addr);
void red_put_message(RedMessage *red);
+bool red_validate_surface(uint32_t width, uint32_t height,
+ int32_t stride, uint32_t format);
+
int red_get_surface_cmd(RedMemSlotInfo *slots, int group_id,
RedSurfaceCmd *red, QXLPHYSICAL addr);
void red_put_surface_cmd(RedSurfaceCmd *red);
--
2.7.3
Reference in new issue View Git Blame Copy Permalink