Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 1459094 Details for
Bug 1598234
CVE-2018-10893 spice-client: Insufficient encoding checks for LZ can cause different integer/buffer overflows
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
First patch
0001-lz-Avoid-buffer-reading-overflow-checking-for-image-.patch (text/plain), 2.28 KB, created by
Christophe Fergeau
on 2018-07-16 09:06:14 UTC
(
hide
)
Description:
First patch
Filename:
MIME Type:
Creator:
Christophe Fergeau
Created:
2018-07-16 09:06:14 UTC
Size:
2.28 KB
patch
obsolete
>From b94b3ca285d81180ed8fdf18f949761e40657b93 Mon Sep 17 00:00:00 2001 >From: Frediano Ziglio <fziglio@redhat.com> >Date: Fri, 22 Dec 2017 18:43:00 +0000 >Subject: [PATCH spice-common 1/2] lz: Avoid buffer reading overflow checking > for image type > >The type of the image is just copied from network without >any check and later used for array indexing. > >Signed-off-by: Frediano Ziglio <fziglio@redhat.com> >--- > common/lz.c | 3 +++ > common/lz_common.h | 7 ++++--- > 2 files changed, 7 insertions(+), 3 deletions(-) > >diff --git a/common/lz.c b/common/lz.c >index b7e7d48..e76105e 100644 >--- a/common/lz.c >+++ b/common/lz.c >@@ -594,6 +594,9 @@ void lz_decode_begin(LzContext *lz, uint8_t *io_ptr, unsigned int num_io_bytes, > } > > encoder->type = (LzImageType)decode_32(encoder); >+ if (encoder->type < 0 || encoder->type > LZ_IMAGE_TYPE_MAX) { >+ encoder->usr->error(encoder->usr, "invalid lz type\n"); >+ } > encoder->width = decode_32(encoder); > encoder->height = decode_32(encoder); > encoder->stride = decode_32(encoder); >diff --git a/common/lz_common.h b/common/lz_common.h >index 78df003..6526d16 100644 >--- a/common/lz_common.h >+++ b/common/lz_common.h >@@ -51,6 +51,7 @@ typedef enum { > > #define LZ_IMAGE_TYPE_MASK 0x0f > #define LZ_IMAGE_TYPE_LOG 4 // number of bits required for coding the image type >+#define LZ_IMAGE_TYPE_MAX LZ_IMAGE_TYPE_A8 > > /* access to the arrays is based on the image types */ > static const int IS_IMAGE_TYPE_PLT[] = {0, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0}; >@@ -58,10 +59,10 @@ static const int IS_IMAGE_TYPE_RGB[] = {0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1}; > static const int PLT_PIXELS_PER_BYTE[] = {0, 8, 8, 2, 2, 1}; > static const int RGB_BYTES_PER_PIXEL[] = {0, 1, 1, 1, 1, 1, 2, 3, 4, 4, 4, 1}; > >-verify(SPICE_N_ELEMENTS(IS_IMAGE_TYPE_PLT) == (LZ_IMAGE_TYPE_A8 + 1)); >-verify(SPICE_N_ELEMENTS(IS_IMAGE_TYPE_RGB) == (LZ_IMAGE_TYPE_A8 + 1)); >+verify(SPICE_N_ELEMENTS(IS_IMAGE_TYPE_PLT) == (LZ_IMAGE_TYPE_MAX + 1)); >+verify(SPICE_N_ELEMENTS(IS_IMAGE_TYPE_RGB) == (LZ_IMAGE_TYPE_MAX + 1)); > verify(SPICE_N_ELEMENTS(PLT_PIXELS_PER_BYTE) == (LZ_IMAGE_TYPE_PLT8 + 1)); >-verify(SPICE_N_ELEMENTS(RGB_BYTES_PER_PIXEL) == (LZ_IMAGE_TYPE_A8 + 1)); >+verify(SPICE_N_ELEMENTS(RGB_BYTES_PER_PIXEL) == (LZ_IMAGE_TYPE_MAX + 1)); > > /* ASCII "LZ " */ > #define LZ_MAGIC 0x20205a4c >-- >2.17.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1459094">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1598234
: 1459094 |
1459095