Fix buffer reading overflow

Not security risk as just for read. However, this could be used to attempt integer overflows in the following lines. Signed-off-by: Frediano Ziglio <fziglio@redhat.com> Acked-by: Christophe Fergeau <cfergeau@redhat.com>
author: Frediano Ziglio <fziglio@redhat.com> 2015-09-08 10:00:37 +0100
committer: Frediano Ziglio <fziglio@redhat.com> 2015-10-06 11:11:10 +0100
commit: 68a742aaa8d692940ac15d021799b702412887e5 (patch)
tree: 86b71622e5d3f733ebf31460b17bdec66d91f8e4
parent: 1eb93baa3c594e1214b1c92bbad8a06e9c7e2d12 (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c
index bdd5917..e2f95e4 100644
--- a/server/red_parse_qxl.c
+++ b/server/red_parse_qxl.c
@@ -361,7 +361,14 @@ static const int MAP_BITMAP_FMT_TO_BITS_PER_PIXEL[] = {0, 1, 1, 4, 4, 8, 16, 24,
 
 static int bitmap_consistent(SpiceBitmap *bitmap)
 {
-    int bpp = MAP_BITMAP_FMT_TO_BITS_PER_PIXEL[bitmap->format];
+    int bpp;
+
+    if (bitmap->format >= SPICE_N_ELEMENTS(MAP_BITMAP_FMT_TO_BITS_PER_PIXEL)) {
+        spice_warning("wrong format specified for image\n");
+        return FALSE;
+    }
+
+    bpp = MAP_BITMAP_FMT_TO_BITS_PER_PIXEL[bitmap->format];
 
     if (bitmap->stride < ((bitmap->x * bpp + 7) / 8)) {
         spice_warning("image stride too small for width: %d < ((%d * %d + 7) / 8) (%s=%d)\n",
author	Frediano Ziglio <fziglio@redhat.com>	2015-09-08 10:00:37 +0100
committer	Frediano Ziglio <fziglio@redhat.com>	2015-10-06 11:11:10 +0100
commit	68a742aaa8d692940ac15d021799b702412887e5 (patch)
tree	86b71622e5d3f733ebf31460b17bdec66d91f8e4
parent	1eb93baa3c594e1214b1c92bbad8a06e9c7e2d12 (diff)