Package: spice / 0.14.3-2.1

CVE-2020-14355/0002-quic-Check-image-size-in-quic_decode_begin.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
From: Frediano Ziglio <freddy77@gmail.com>
Date: Wed, 29 Apr 2020 15:10:24 +0100
Subject: [2/4] quic: Check image size in quic_decode_begin
https://gitlab.freedesktop.org/spice/spice-common/-/commit/404d74782c8b5e57d146c5bf3118bb41bf3378e4
Bug-Debian: https://bugs.debian.org/971750
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-14355

Avoid some overflow in code due to images too big or
negative numbers.

Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
Acked-by: Uri Lublin <uril@redhat.com>
---
 subprojects/spice-common/common//quic.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/subprojects/spice-common/common//quic.c b/subprojects/spice-common/common//quic.c
index bc753ca5064a..681531677fbd 100644
--- a/subprojects/spice-common/common//quic.c
+++ b/subprojects/spice-common/common//quic.c
@@ -56,6 +56,9 @@ typedef uint8_t BYTE;
 #define MINwminext 1
 #define MAXwminext 100000000
 
+/* Maximum image size in pixels, mainly to avoid possible integer overflows */
+#define SPICE_MAX_IMAGE_SIZE (512 * 1024 * 1024 - 1)
+
 typedef struct QuicFamily {
     unsigned int nGRcodewords[MAXNUMCODES];      /* indexed by code number, contains number of
                                                     unmodified GR codewords in the code */
@@ -1165,6 +1168,16 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w
     height = encoder->io_word;
     decode_eat32bits(encoder);
 
+    if (width <= 0 || height <= 0) {
+        encoder->usr->warn(encoder->usr, "invalid size\n");
+        return QUIC_ERROR;
+    }
+
+    /* avoid too big images */
+    if ((uint64_t) width * height > SPICE_MAX_IMAGE_SIZE) {
+        encoder->usr->error(encoder->usr, "image too large\n");
+    }
+
     quic_image_params(encoder, type, &channels, &bpc);
 
     if (!encoder_reset_channels(encoder, channels, width, bpc)) {
-- 
2.28.0