From: Frediano Ziglio <freddy77@gmail.com>
Date: Wed, 29 Apr 2020 14:11:38 +0000 (+0100)
Subject: [PATCH] quic: Check RLE lengths
X-Git-Tag: archive/raspbian/0.33-3.3+deb9u2+rpi1^2~2
X-Git-Url: https://dgit.raspbian.org/%22http://www.example.com/cgi/%22/%22http:/www.example.com/cgi/%22?a=commitdiff_plain;h=4caa7e100d2613051e6e8a07be1306118cb83814;p=spice-gtk.git

[PATCH] quic: Check RLE lengths

Avoid buffer overflows decoding images. On compression we compute
lengths till end of line so it won't cause regressions.
Proved by fuzzing the code.

Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
Acked-by: Uri Lublin <uril@redhat.com>

Gbp-Pq: Name CVE-2020-14355_part3.patch
---

diff --git a/spice-common/common/quic_tmpl.c b/spice-common/common/quic_tmpl.c
index e839346..9035e81 100644
--- a/spice-common/common/quic_tmpl.c
+++ b/spice-common/common/quic_tmpl.c
@@ -563,11 +563,16 @@ do_run:
         channel->state.waitcnt = stopidx - i;
         run_index = i;
 #ifdef RLE_STAT
-        run_end = i + decode_channel_run(encoder, channel);
+        run_end = decode_channel_run(encoder, channel);
 #else
-        run_end = i + decode_run(encoder);
+        run_end = decode_run(encoder);
 #endif
 
+        if (run_end < 0 || run_end > (end - i)) {
+            encoder->usr->error(encoder->usr, "wrong RLE\n");
+        }
+        run_end += i;
+
         for (; i < run_end; i++) {
             cur_row[i].a = cur_row[i - 1].a;
         }