加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
克隆/下载
backport-0002-CVE-2020-14355.patch 1.72 KB
一键复制 编辑 原始数据 按行查看 历史
靳智敏 提交于 2021-02-23 14:56 . fix CVE-2020-14355
From 404d74782c8b5e57d146c5bf3118bb41bf3378e4 Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <freddy77@gmail.com>
Date: Wed, 29 Apr 2020 15:10:24 +0100
Subject: [PATCH] quic: Check image size in quic_decode_begin
Avoid some overflow in code due to images too big or
negative numbers.
Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
Acked-by: Uri Lublin <uril@redhat.com>
---
subprojects/spice-common/common//quic.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/subprojects/spice-common/common//quic.c b/subprojects/spice-common/common//quic.c
index bc753ca5064a..681531677fbd 100644
--- a/subprojects/spice-common/common//quic.c
+++ b/subprojects/spice-common/common//quic.c
@@ -56,6 +56,9 @@ typedef uint8_t BYTE;
#define MINwminext 1
#define MAXwminext 100000000
+/* Maximum image size in pixels, mainly to avoid possible integer overflows */
+#define SPICE_MAX_IMAGE_SIZE (512 * 1024 * 1024 - 1)
+
typedef struct QuicFamily {
unsigned int nGRcodewords[MAXNUMCODES]; /* indexed by code number, contains number of
unmodified GR codewords in the code */
@@ -1165,6 +1168,16 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w
height = encoder->io_word;
decode_eat32bits(encoder);
+ if (width <= 0 || height <= 0) {
+ encoder->usr->warn(encoder->usr, "invalid size\n");
+ return QUIC_ERROR;
+ }
+
+ /* avoid too big images */
+ if ((uint64_t) width * height > SPICE_MAX_IMAGE_SIZE) {
+ encoder->usr->error(encoder->usr, "image too large\n");
+ }
+
quic_image_params(encoder, type, &channels, &bpc);
if (!encoder_reset_channels(encoder, channels, width, bpc)) {
--
GitLab
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化