Attachment #435382 for bug #584126




#include <config.h>
#endif

#include <stdbool.h>
#include <inttypes.h>
#include <glib.h>
#include "common/lz_common.h"

    return 0;
}

bool red_validate_surface(uint32_t width, uint32_t height,
                          int32_t stride, uint32_t format)
{
    unsigned int bpp;
    uint64_t size;

    bpp = surface_format_to_bpp(format);

    /* check if format is valid */
    if (!bpp) {
        return false;
    }

    /* check stride is larger than required bytes */
    size = ((uint64_t) width * bpp + 7u) / 8u;
    /* the uint32_t conversion is here to avoid problems with -2^31 value */
    if (stride == G_MININT32 || size > (uint32_t) abs(stride)) {
        return false;
    }

    /* the multiplication can overflow, also abs(-2^31) may return a negative value */
    size = (uint64_t) height * abs(stride);
    if (size > MAX_DATA_CHUNK) {
        return false;
    }

    return true;
}

int red_get_surface_cmd(RedMemSlotInfo *slots, int group_id,
                        RedSurfaceCmd *red, QXLPHYSICAL addr)
{
    QXLSurfaceCmd *qxl;
    uint64_t size;
    int error;
    unsigned int bpp;

    qxl = (QXLSurfaceCmd *)get_virt(slots, addr, sizeof(*qxl), group_id,
                                    &error);

        red->u.surface_create.width  = qxl->u.surface_create.width;
        red->u.surface_create.height = qxl->u.surface_create.height;
        red->u.surface_create.stride = qxl->u.surface_create.stride;
        bpp = surface_format_to_bpp(red->u.surface_create.format);

        if (!red_validate_surface(red->u.surface_create.width, red->u.surface_create.height,
                                  red->u.surface_create.stride, red->u.surface_create.format)) {
            return 1;
        }

        size = red->u.surface_create.height * abs(red->u.surface_create.stride);
        size = ((uint64_t) red->u.surface_create.width * bpp + 7u) / 8u;
        /* the uint32_t conversion is here to avoid problems with -2^31 value */
        if (red->u.surface_create.stride == G_MININT32
            || size > (uint32_t) abs(red->u.surface_create.stride)) {
            return 1;
        }

        /* the multiplication can overflow, also abs(-2^31) may return a negative value */
        size = (uint64_t) red->u.surface_create.height * abs(red->u.surface_create.stride);
        if (size > MAX_DATA_CHUNK) {
            return 1;
        }
        red->u.surface_create.data =
            (uint8_t*)get_virt(slots, qxl->u.surface_create.data, size, group_id, &error);
        if (error) {

Lines 19-24 Link Here

(-)a/server/red_parse_qxl.h (+5 lines)
19	#ifndef RED_ABI_TRANSLATE_H	19	#ifndef RED_ABI_TRANSLATE_H
20	#define RED_ABI_TRANSLATE_H	20	#define RED_ABI_TRANSLATE_H
21		21
		22	#include <stdbool.h>
		23
22	#include <spice/qxl_dev.h>	24	#include <spice/qxl_dev.h>
23	#include "red_common.h"	25	#include "red_common.h"
24	#include "red_memslots.h"	26	#include "red_memslots.h"
Lines 128-133 int red_get_message(RedMemSlotInfo *slots, int group_id, Link Here
128	RedMessage *red, QXLPHYSICAL addr);	130	RedMessage *red, QXLPHYSICAL addr);
129	void red_put_message(RedMessage *red);	131	void red_put_message(RedMessage *red);
130		132
		133	bool red_validate_surface(uint32_t width, uint32_t height,
		134	int32_t stride, uint32_t format);
		135
131	int red_get_surface_cmd(RedMemSlotInfo *slots, int group_id,	136	int red_get_surface_cmd(RedMemSlotInfo *slots, int group_id,
132	RedSurfaceCmd *red, QXLPHYSICAL addr);	137	RedSurfaceCmd *red, QXLPHYSICAL addr);
133	void red_put_surface_cmd(RedSurfaceCmd *red);	138	void red_put_surface_cmd(RedSurfaceCmd *red);

Return to bug 584126

Lines 19-25 Link Here

(-)a/server/red_parse_qxl.c (-18 / +32 lines)
19	#include <config.h>	19	#include <config.h>
20	#endif	20	#endif
21		21
22	#include <stdbool.h>
23	#include <inttypes.h>	22	#include <inttypes.h>
24	#include <glib.h>	23	#include <glib.h>
25	#include "common/lz_common.h"	24	#include "common/lz_common.h"
Lines 1306-1318 static unsigned int surface_format_to_bpp(uint32_t format) Link Here
1306	return 0;	1305	return 0;
1307	}	1306	}
1308		1307
		1308	bool red_validate_surface(uint32_t width, uint32_t height,
		1309	int32_t stride, uint32_t format)
		1310	{
		1311	unsigned int bpp;
		1312	uint64_t size;
		1313
		1314	bpp = surface_format_to_bpp(format);
		1315
		1316	/* check if format is valid */
		1317	if (!bpp) {
		1318	return false;
		1319	}
		1320
		1321	/* check stride is larger than required bytes */
		1322	size = ((uint64_t) width * bpp + 7u) / 8u;
		1323	/* the uint32_t conversion is here to avoid problems with -2^31 value */
		1324	if (stride == G_MININT32 \|\| size > (uint32_t) abs(stride)) {
		1325	return false;
		1326	}
		1327
		1328	/* the multiplication can overflow, also abs(-2^31) may return a negative value */
		1329	size = (uint64_t) height * abs(stride);
		1330	if (size > MAX_DATA_CHUNK) {
		1331	return false;
		1332	}
		1333
		1334	return true;
		1335	}
		1336
1309	int red_get_surface_cmd(RedMemSlotInfo *slots, int group_id,	1337	int red_get_surface_cmd(RedMemSlotInfo *slots, int group_id,
1310	RedSurfaceCmd *red, QXLPHYSICAL addr)	1338	RedSurfaceCmd *red, QXLPHYSICAL addr)
1311	{	1339	{
1312	QXLSurfaceCmd *qxl;	1340	QXLSurfaceCmd *qxl;
1313	uint64_t size;	1341	uint64_t size;
1314	int error;	1342	int error;
1315	unsigned int bpp;
1316		1343
1317	qxl = (QXLSurfaceCmd )get_virt(slots, addr, sizeof(qxl), group_id,	1344	qxl = (QXLSurfaceCmd )get_virt(slots, addr, sizeof(qxl), group_id,
1318	&error);	1345	&error);
Lines 1331-1356 int red_get_surface_cmd(RedMemSlotInfo *slots, int group_id, Link Here
1331	red->u.surface_create.width = qxl->u.surface_create.width;	1358	red->u.surface_create.width = qxl->u.surface_create.width;
1332	red->u.surface_create.height = qxl->u.surface_create.height;	1359	red->u.surface_create.height = qxl->u.surface_create.height;
1333	red->u.surface_create.stride = qxl->u.surface_create.stride;	1360	red->u.surface_create.stride = qxl->u.surface_create.stride;
1334	bpp = surface_format_to_bpp(red->u.surface_create.format);
1335		1361
1336	/* check if format is valid */	1362	if (!red_validate_surface(red->u.surface_create.width, red->u.surface_create.height,
1337	if (!bpp) {	1363	red->u.surface_create.stride, red->u.surface_create.format)) {
1338	return 1;	1364	return 1;
1339	}	1365	}
1340		1366
1341	/* check stride is larger than required bytes */	1367	size = red->u.surface_create.height * abs(red->u.surface_create.stride);
1342	size = ((uint64_t) red->u.surface_create.width * bpp + 7u) / 8u;
1343	/* the uint32_t conversion is here to avoid problems with -2^31 value */
1344	if (red->u.surface_create.stride == G_MININT32
1345	\|\| size > (uint32_t) abs(red->u.surface_create.stride)) {
1346	return 1;
1347	}
1348
1349	/* the multiplication can overflow, also abs(-2^31) may return a negative value */
1350	size = (uint64_t) red->u.surface_create.height * abs(red->u.surface_create.stride);
1351	if (size > MAX_DATA_CHUNK) {
1352	return 1;
1353	}
1354	red->u.surface_create.data =	1368	red->u.surface_create.data =
1355	(uint8_t*)get_virt(slots, qxl->u.surface_create.data, size, group_id, &error);	1369	(uint8_t*)get_virt(slots, qxl->u.surface_create.data, size, group_id, &error);
1356	if (error) {	1370	if (error) {