Package: spice / 0.14.3-2.1

CVE-2020-14355/0001-quic-Check-we-have-some-data-to-start-decoding-quic-.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
From: Frediano Ziglio <freddy77@gmail.com>
Date: Wed, 29 Apr 2020 15:09:13 +0100
Subject: [1/4] quic: Check we have some data to start decoding quic image
https://gitlab.freedesktop.org/spice/spice-common/-/commit/762e0abae36033ccde658fd52d3235887b60862d
Bug-Debian: https://bugs.debian.org/971750
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-14355

All paths already pass some data to quic_decode_begin but for the
test check it, it's not that expensive test.
Checking for not 0 is enough, all other words will potentially be
read calling more_io_words but we need one to avoid a potential
initial buffer overflow or deferencing an invalid pointer.

Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
Acked-by: Uri Lublin <uril@redhat.com>
---
 subprojects/spice-common/common//quic.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/subprojects/spice-common/common//quic.c b/subprojects/spice-common/common//quic.c
index e2dee0fd6874..bc753ca5064a 100644
--- a/subprojects/spice-common/common//quic.c
+++ b/subprojects/spice-common/common//quic.c
@@ -1136,7 +1136,7 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w
     int channels;
     int bpc;
 
-    if (!encoder_reset(encoder, io_ptr, io_ptr_end)) {
+    if (!num_io_words || !encoder_reset(encoder, io_ptr, io_ptr_end)) {
         return QUIC_ERROR;
     }
 
-- 
2.28.0