Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 1459095 Details for
Bug 1598234
CVE-2018-10893 spice-client: Insufficient encoding checks for LZ can cause different integer/buffer overflows
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Second patch
0002-lz-More-checks-on-image-sizes.patch (text/plain), 2.83 KB, created by
Christophe Fergeau
on 2018-07-16 09:06:53 UTC
(
hide
)
Description:
Second patch
Filename:
MIME Type:
Creator:
Christophe Fergeau
Created:
2018-07-16 09:06:53 UTC
Size:
2.83 KB
patch
obsolete
>From 7117d2dced9438ce8074d20362196a313b0854cc Mon Sep 17 00:00:00 2001 >From: Frediano Ziglio <fziglio@redhat.com> >Date: Mon, 25 Jun 2018 14:16:10 +0100 >Subject: [PATCH spice-common 2/2] lz: More checks on image sizes > >Extend sizes check also to decoding, actually the source data >decoding images should be less safe than encoding. >This avoids different integer overflows and buffer overflows. >To avoid potential issues images are limited to 1GB. > >Signed-off-by: Frediano Ziglio <fziglio@redhat.com> >--- > common/lz.c | 36 +++++++++++++++++++++++++++--------- > 1 file changed, 27 insertions(+), 9 deletions(-) > >diff --git a/common/lz.c b/common/lz.c >index e76105e..f57d388 100644 >--- a/common/lz.c >+++ b/common/lz.c >@@ -482,17 +482,13 @@ typedef uint16_t rgb16_pixel_t; > #undef LZ_UNEXPECT_CONDITIONAL > #undef LZ_EXPECT_CONDITIONAL > >-int lz_encode(LzContext *lz, LzImageType type, int width, int height, int top_down, >- uint8_t *lines, unsigned int num_lines, int stride, >- uint8_t *io_ptr, unsigned int num_io_bytes) >+static void lz_check_sizes(Encoder *encoder) > { >- Encoder *encoder = (Encoder *)lz; >- uint8_t *io_ptr_end = io_ptr + num_io_bytes; >+ const int width = encoder->width; > >- encoder->type = type; >- encoder->width = width; >- encoder->height = height; >- encoder->stride = stride; >+ if (width < 0 || encoder->height < 0 || encoder->stride < 0) { >+ encoder->usr->error(encoder->usr, "invalid lz size\n"); >+ } > > if (IS_IMAGE_TYPE_PLT[encoder->type]) { > if (encoder->stride > (width / PLT_PIXELS_PER_BYTE[encoder->type])) { >@@ -509,6 +505,26 @@ int lz_encode(LzContext *lz, LzImageType type, int width, int height, int top_do > } > } > >+ // avoid too big images, 1 GB is enough >+ if ((uint64_t) encoder->stride * encoder->height >= 1024u * 1024u * 1024u) { >+ encoder->usr->error(encoder->usr, "image too large\n"); >+ } >+} >+ >+int lz_encode(LzContext *lz, LzImageType type, int width, int height, int top_down, >+ uint8_t *lines, unsigned int num_lines, int stride, >+ uint8_t *io_ptr, unsigned int num_io_bytes) >+{ >+ Encoder *encoder = (Encoder *)lz; >+ uint8_t *io_ptr_end = io_ptr + num_io_bytes; >+ >+ encoder->type = type; >+ encoder->width = width; >+ encoder->height = height; >+ encoder->stride = stride; >+ >+ lz_check_sizes(encoder); >+ > // assign the output buffer > if (!encoder_reset(encoder, io_ptr, io_ptr_end)) { > encoder->usr->error(encoder->usr, "lz encoder io reset failed\n"); >@@ -600,6 +616,8 @@ void lz_decode_begin(LzContext *lz, uint8_t *io_ptr, unsigned int num_io_bytes, > encoder->width = decode_32(encoder); > encoder->height = decode_32(encoder); > encoder->stride = decode_32(encoder); >+ lz_check_sizes(encoder); >+ > *out_top_down = decode_32(encoder); > > *out_width = encoder->width; >-- >2.17.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1598234
:
1459094
| 1459095