Package: spice / 0.14.3-2.1

CVE-2020-14355/0003-quic-Check-RLE-lengths.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
From: Frediano Ziglio <freddy77@gmail.com>
Date: Wed, 29 Apr 2020 15:11:38 +0100
Subject: [3/4] quic: Check RLE lengths
https://gitlab.freedesktop.org/spice/spice-common/-/commit/ef1b6ff7b82e15d759e5415b8e35b92bb1a4c206
Bug-Debian: https://bugs.debian.org/971750
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-14355

Avoid buffer overflows decoding images. On compression we compute
lengths till end of line so it won't cause regressions.
Proved by fuzzing the code.

Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
Acked-by: Uri Lublin <uril@redhat.com>
---
 subprojects/spice-common/common//quic_tmpl.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/subprojects/spice-common/common//quic_tmpl.c b/subprojects/spice-common/common//quic_tmpl.c
index ecd6f3f187c7..ebae992d642a 100644
--- a/subprojects/spice-common/common//quic_tmpl.c
+++ b/subprojects/spice-common/common//quic_tmpl.c
@@ -563,7 +563,11 @@ static void FNAME_DECL(uncompress_row_seg)(const PIXEL * const prev_row,
 do_run:
         state->waitcnt = stopidx - i;
         run_index = i;
-        run_end = i + decode_state_run(encoder, state);
+        run_end = decode_state_run(encoder, state);
+        if (run_end < 0 || run_end > (end - i)) {
+            encoder->usr->error(encoder->usr, "wrong RLE\n");
+        }
+        run_end += i;
 
         for (; i < run_end; i++) {
             UNCOMPRESS_PIX_START(&cur_row[i]);
-- 
2.28.0