[PATCH] quic: Check image size in quic_decode_begin

author Frediano Ziglio <freddy77@gmail.com>

Wed, 29 Apr 2020 14:10:24 +0000 (15:10 +0100)

committer Utkarsh Gupta <utkarsh@debian.org>

Sun, 1 Nov 2020 16:10:46 +0000 (16:10 +0000)
author Frediano Ziglio <freddy77@gmail.com>
Wed, 29 Apr 2020 14:10:24 +0000 (15:10 +0100)
committer Utkarsh Gupta <utkarsh@debian.org>
Sun, 1 Nov 2020 16:10:46 +0000 (16:10 +0000)
diff --git a/spice-common/common/quic.c b/spice-common/common/quic.c

index d6fb8f2db1d0b8cc9659293f47b5d3ed6195cdbc..13f84be62e64cf289264f8b04b05a2a19cb613d4 100644 (file)
--- a/spice-common/common/quic.c
+++ b/spice-common/common/quic.c
@@ -68,6 +68,9 @@ typedef uint8_t BYTE;
  #define MINwminext 1
  #define MAXwminext 100000000
  
+/* Maximum image size in pixels, mainly to avoid possible integer overflows */
+#define SPICE_MAX_IMAGE_SIZE (512 * 1024 * 1024 - 1)
+
  typedef struct QuicFamily {
      unsigned int nGRcodewords[MAXNUMCODES];      /* indexed by code number, contains number of
                                                      unmodified GR codewords in the code */
@@ -1408,6 +1411,16 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w
      height = encoder->io_word;
      decode_eat32bits(encoder);
  
+    if (width <= 0 || height <= 0) {
+        encoder->usr->warn(encoder->usr, "invalid size\n");
+        return QUIC_ERROR;
+    }
+
+    /* avoid too big images */
+    if ((uint64_t) width * height > SPICE_MAX_IMAGE_SIZE) {
+        encoder->usr->error(encoder->usr, "image too large\n");
+    }
+
      quic_image_params(encoder, type, &channels, &bpc);
  
      if (!encoder_reste_channels(encoder, channels, width, bpc)) {
author	Frediano Ziglio <freddy77@gmail.com>
	Wed, 29 Apr 2020 14:10:24 +0000 (15:10 +0100)
committer	Utkarsh Gupta <utkarsh@debian.org>
	Sun, 1 Nov 2020 16:10:46 +0000 (16:10 +0000)