Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/app-emulation/spice/files
diff options
context:
space:
mode:
Diffstat (limited to 'app-emulation/spice/files')
-rw-r--r--app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-404d7478.patch31
-rw-r--r--app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-762e0aba.patch13
-rw-r--r--app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-b24fe6b6.patch18
-rw-r--r--app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-ef1b6ff7.patch17
4 files changed, 0 insertions, 79 deletions
diff --git a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-404d7478.patch b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-404d7478.patch
deleted file mode 100644
index 338f4e6ca657..000000000000
--- a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-404d7478.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-diff --git a/common/quic.c b/common/quic.c
-index bc753ca5064a0326906b4aa8c18d8745747feb5c..681531677fbd6c3bca5e482c77bb709d4465ef8e 100644
---- a/subprojects/spice-common/common/quic.c
-+++ b/subprojects/spice-common/common/quic.c
-@@ -56,6 +56,9 @@ typedef uint8_t BYTE;
- #define MINwminext 1
- #define MAXwminext 100000000
-
-+/* Maximum image size in pixels, mainly to avoid possible integer overflows */
-+#define SPICE_MAX_IMAGE_SIZE (512 * 1024 * 1024 - 1)
-+
- typedef struct QuicFamily {
- unsigned int nGRcodewords[MAXNUMCODES]; /* indexed by code number, contains number of
- unmodified GR codewords in the code */
-@@ -1165,6 +1168,16 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w
- height = encoder->io_word;
- decode_eat32bits(encoder);
-
-+ if (width <= 0 || height <= 0) {
-+ encoder->usr->warn(encoder->usr, "invalid size\n");
-+ return QUIC_ERROR;
-+ }
-+
-+ /* avoid too big images */
-+ if ((uint64_t) width * height > SPICE_MAX_IMAGE_SIZE) {
-+ encoder->usr->error(encoder->usr, "image too large\n");
-+ }
-+
- quic_image_params(encoder, type, &channels, &bpc);
-
- if (!encoder_reset_channels(encoder, channels, width, bpc)) {
diff --git a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-762e0aba.patch b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-762e0aba.patch
deleted file mode 100644
index ce79ef0043ee..000000000000
--- a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-762e0aba.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/common/quic.c b/common/quic.c
-index e2dee0fd68741512911d5d050053ad073cf29457..bc753ca5064a0326906b4aa8c18d8745747feb5c 100644
---- a/subprojects/spice-common/common/quic.c
-+++ b/subprojects/spice-common/common/quic.c
-@@ -1136,7 +1136,7 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w
- int channels;
- int bpc;
-
-- if (!encoder_reset(encoder, io_ptr, io_ptr_end)) {
-+ if (!num_io_words || !encoder_reset(encoder, io_ptr, io_ptr_end)) {
- return QUIC_ERROR;
- }
-
diff --git a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-b24fe6b6.patch b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-b24fe6b6.patch
deleted file mode 100644
index 40127deda15a..000000000000
--- a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-b24fe6b6.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-diff --git a/common/quic_family_tmpl.c b/common/quic_family_tmpl.c
-index 8a5f7d2c9be3f6b1bd82993703749268bab243b4..6cc051b36889f773fe5401e204db6245d99e27df 100644
---- a/subprojects/spice-common/common/quic_family_tmpl.c
-+++ b/subprojects/spice-common/common/quic_family_tmpl.c
-@@ -103,7 +103,12 @@ static s_bucket *FNAME(find_bucket)(Channel *channel, const unsigned int val)
- {
- spice_extra_assert(val < (0x1U << BPC));
-
-- return channel->_buckets_ptrs[val];
-+ /* The and (&) here is to avoid buffer overflows in case of garbage or malicious
-+ * attempts. Is much faster then using comparisons and save us from such situations.
-+ * Note that on normal build the check above won't be compiled as this code path
-+ * is pretty hot and would cause speed regressions.
-+ */
-+ return channel->_buckets_ptrs[val & ((1U << BPC) - 1)];
- }
-
- #undef FNAME
diff --git a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-ef1b6ff7.patch b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-ef1b6ff7.patch
deleted file mode 100644
index bc764ec23ce2..000000000000
--- a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-ef1b6ff7.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-diff --git a/common/quic_tmpl.c b/common/quic_tmpl.c
-index ecd6f3f187c753a89b7dbb0657edc3ae82ffaaff..ebae992d642a657a7505b3ca0e8145310805f32f 100644
---- a/subprojects/spice-common/common/quic_tmpl.c
-+++ b/subprojects/spice-common/common/quic_tmpl.c
-@@ -563,7 +563,11 @@ static void FNAME_DECL(uncompress_row_seg)(const PIXEL * const prev_row,
- do_run:
- state->waitcnt = stopidx - i;
- run_index = i;
-- run_end = i + decode_state_run(encoder, state);
-+ run_end = decode_state_run(encoder, state);
-+ if (run_end < 0 || run_end > (end - i)) {
-+ encoder->usr->error(encoder->usr, "wrong RLE\n");
-+ }
-+ run_end += i;
-
- for (; i < run_end; i++) {
- UNCOMPRESS_PIX_START(&cur_row[i]);