quic: Check RLE lengths

Avoid buffer overflows decoding images. On compression we compute lengths till end of line so it won't cause regressions. Proved by fuzzing the code. Signed-off-by: Frediano Ziglio <freddy77@gmail.com> Acked-by: Uri Lublin <uril@redhat.com>
author: Frediano Ziglio <freddy77@gmail.com> 2020-04-29 15:11:38 +0100
committer: Frediano Ziglio <freddy77@gmail.com> 2020-09-17 06:46:57 +0100
commit: ef1b6ff7b82e15d759e5415b8e35b92bb1a4c206 (patch)
tree: 9c16d4c4261aad73f0a44cc7b11e0ee05ac638cc
parent: 404d74782c8b5e57d146c5bf3118bb41bf3378e4 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/common/quic_tmpl.c b/common/quic_tmpl.c
index ecd6f3f..ebae992 100644
--- a/common/quic_tmpl.c
+++ b/common/quic_tmpl.c
@@ -563,7 +563,11 @@ static void FNAME_DECL(uncompress_row_seg)(const PIXEL * const prev_row,
 do_run:
         state->waitcnt = stopidx - i;
         run_index = i;
-        run_end = i + decode_state_run(encoder, state);
+        run_end = decode_state_run(encoder, state);
+        if (run_end < 0 || run_end > (end - i)) {
+            encoder->usr->error(encoder->usr, "wrong RLE\n");
+        }
+        run_end += i;
 
         for (; i < run_end; i++) {
             UNCOMPRESS_PIX_START(&cur_row[i]);
author	Frediano Ziglio <freddy77@gmail.com>	2020-04-29 15:11:38 +0100
committer	Frediano Ziglio <freddy77@gmail.com>	2020-09-17 06:46:57 +0100
commit	ef1b6ff7b82e15d759e5415b8e35b92bb1a4c206 (patch)
tree	9c16d4c4261aad73f0a44cc7b11e0ee05ac638cc
parent	404d74782c8b5e57d146c5bf3118bb41bf3378e4 (diff)