diff options
| author | Marc-André Lureau <marcandre.lureau@redhat.com> | 2021-04-13 21:27:00 +0400 |
|---|---|---|
| committer | Marc-André Lureau <marcandre.lureau@redhat.com> | 2021-04-13 21:30:38 +0400 |
| commit | 91362d045a42b56cb8bc2b91034b91165482723f (patch) | |
| tree | 5d1ffbe622b05cd31fdc20107bb9f2713e0ba03a | |
| parent | 68188b0c217c3066535c50eabb04472af9ed8e47 (diff) | |
Fix invalid vdagent buffer access
The caller use the "size" argument in different ways. Either the size of
the data to convert, or the end boundary to be deduced by offset.
Fix it so the the "size" argument means the amount in bytes of data to
convert, that seems simpler and saner. (yay C)
Fixes: spice#53
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
| -rw-r--r-- | common/agent.c | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/common/agent.c b/common/agent.c index e29fdcd..3894c7f 100644 --- a/common/agent.c +++ b/common/agent.c @@ -132,8 +132,8 @@ static void uint16_from_le(uint8_t *_msg, uint32_t size, uint32_t offset) uint32_t i; uint16_unaligned_t *msg = (uint16_unaligned_t *)(_msg + offset); - /* offset - size % 2 should be 0 - extra bytes are ignored */ - for (i = 0; i < (size - offset) / 2; i++) { + /* size % 2 should be 0 - extra bytes are ignored */ + for (i = 0; i < size / 2; i++) { FIX_ENDIAN16(msg[i].v); } } @@ -143,8 +143,8 @@ static void uint32_from_le(uint8_t *_msg, uint32_t size, uint32_t offset) uint32_t i; uint32_unaligned_t *msg = (uint32_unaligned_t *)(_msg + offset); - /* offset - size % 4 should be 0 - extra bytes are ignored */ - for (i = 0; i < (size - offset) / 4; i++) { + /* size % 4 should be 0 - extra bytes are ignored */ + for (i = 0; i < size / 4; i++) { FIX_ENDIAN32(msg[i].v); } } @@ -168,7 +168,7 @@ agent_message_clipboard_from_le(const VDAgentMessage *message_header, uint8_t *d FIX_ENDIAN32(data_type->v); break; case VD_AGENT_CLIPBOARD_GRAB: - uint32_from_le(data, message_header->size, min_size); + uint32_from_le(data, message_header->size - min_size, min_size); break; case VD_AGENT_CLIPBOARD_RELEASE: // empty @@ -318,7 +318,7 @@ agent_check_message(const VDAgentMessage *message_header, uint8_t *message, if (vdata->nchannels > max_channels) { return AGENT_CHECK_TRUNCATED; } - uint16_from_le(message, message_header->size, sizeof(*vdata)); + uint16_from_le(message, message_header->size - sizeof(*vdata), sizeof(*vdata)); break; } default: |