quic: Check RLE lengths

Avoid buffer overflows decoding images. On compression we compute lengths till end of line so it won't cause regressions. Proved by fuzzing the code. Signed-off-by: Frediano Ziglio <freddy77@gmail.com> Acked-by: Uri Lublin <uril@redhat.com>

quic: Check RLE lengths
Avoid buffer overflows decoding images. On compression we compute lengths till end of line so it won't cause regressions. Proved by fuzzing the code. Signed-off-by: Frediano Ziglio <freddy77@gmail.com> Acked-by: Uri Lublin <uril@redhat.com>
ef1b6ff7 · Frediano Ziglio · 404d7478 · ef1b6ff7
Commit ef1b6ff7 authored Apr 29, 2020 by Frediano Ziglio
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletion

common/quic_tmpl.c common/quic_tmpl.c +5 -1

No files found.
--- a/common/quic_tmpl.c
+++ b/common/quic_tmpl.c
@@ -563,7 +563,11 @@ static void FNAME_DECL(uncompress_row_seg)(const PIXEL * const prev_row,
 do_run:
        state->waitcnt = stopidx - i;
        run_index = i;
-        run_end = i + decode_state_run(encoder, state);
+        run_end = decode_state_run(encoder, state);
+        if (run_end < 0 || run_end > (end - i)) {
+            encoder->usr->error(encoder->usr, "wrong RLE\n");
+        }
+        run_end += i;

        for (; i < run_end; i++) {
            UNCOMPRESS_PIX_START(&cur_row[i]);