• Qiuhao Li's avatar
    reds: fix nullptr deref in red-parse-qxl.cpp · 1fae1191
    Qiuhao Li authored
    At red-parse-qxl.cpp#L535
    
            if (qxl_flags & QXL_BITMAP_DIRECT) {
                red->u.bitmap.data = red_get_image_data_flat(slots, group_id,
                                                             qxl->bitmap.data,
                                                             bitmap_size);
    
    Since qxl->bitmap.data may from the guest, an attacker can make the
    memslot_get_virt() check in red_get_image_data_flat() fail and
    return a nullptr.
    
    Then at red-parse-qxl.cpp#L550
    
            if (qxl_flags & QXL_BITMAP_UNSTABLE) {
                red->u.bitmap.data->flags |= SPICE_CHUNKS_FLAGS_UNSTABLE;
            }
    
    qxl_flags is assigned as qxl->bitmap.flags before, which can also be
    controlled by the attacker, resulting in a NULL pointer dereference.
    
    This dereference seems to be introduced by commit 5ac88aa7
    
    .
    Signed-off-by: Qiuhao Li's avatarQiuhao Li <Qiuhao.Li@outlook.com>
    1fae1191
red-parse-qxl.cpp 51.1 KB