diff options
Diffstat (limited to 'app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-404d7478.patch')
-rw-r--r-- | app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-404d7478.patch | 31 |
1 files changed, 0 insertions, 31 deletions
diff --git a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-404d7478.patch b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-404d7478.patch deleted file mode 100644 index 338f4e6ca657..000000000000 --- a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-404d7478.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff --git a/common/quic.c b/common/quic.c -index bc753ca5064a0326906b4aa8c18d8745747feb5c..681531677fbd6c3bca5e482c77bb709d4465ef8e 100644 ---- a/subprojects/spice-common/common/quic.c -+++ b/subprojects/spice-common/common/quic.c -@@ -56,6 +56,9 @@ typedef uint8_t BYTE; - #define MINwminext 1 - #define MAXwminext 100000000 - -+/* Maximum image size in pixels, mainly to avoid possible integer overflows */ -+#define SPICE_MAX_IMAGE_SIZE (512 * 1024 * 1024 - 1) -+ - typedef struct QuicFamily { - unsigned int nGRcodewords[MAXNUMCODES]; /* indexed by code number, contains number of - unmodified GR codewords in the code */ -@@ -1165,6 +1168,16 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w - height = encoder->io_word; - decode_eat32bits(encoder); - -+ if (width <= 0 || height <= 0) { -+ encoder->usr->warn(encoder->usr, "invalid size\n"); -+ return QUIC_ERROR; -+ } -+ -+ /* avoid too big images */ -+ if ((uint64_t) width * height > SPICE_MAX_IMAGE_SIZE) { -+ encoder->usr->error(encoder->usr, "image too large\n"); -+ } -+ - quic_image_params(encoder, type, &channels, &bpc); - - if (!encoder_reset_channels(encoder, channels, width, bpc)) { |