Commit 1fae1191 authored by Qiuhao Li's avatar Qiuhao Li Committed by Frediano Ziglio
Browse files

reds: fix nullptr deref in red-parse-qxl.cpp

At red-parse-qxl.cpp#L535

        if (qxl_flags & QXL_BITMAP_DIRECT) {
            red->u.bitmap.data = red_get_image_data_flat(slots, group_id,
                                                         qxl->bitmap.data,
                                                         bitmap_size);

Since qxl->bitmap.data may from the guest, an attacker can make the
memslot_get_virt() check in red_get_image_data_flat() fail and
return a nullptr.

Then at red-parse-qxl.cpp#L550

        if (qxl_flags & QXL_BITMAP_UNSTABLE) {
            red->u.bitmap.data->flags |= SPICE_CHUNKS_FLAGS_UNSTABLE;
        }

qxl_flags is assigned as qxl->bitmap.flags before, which can also be
controlled by the attacker, resulting in a NULL pointer dereference.

This dereference seems to be introduced by commit 5ac88aa7

.
Signed-off-by: Qiuhao Li's avatarQiuhao Li <Qiuhao.Li@outlook.com>
parent 848c231d
Pipeline #307019 passed with stage
in 18 minutes and 12 seconds
......@@ -535,6 +535,9 @@ static SpiceImage *red_get_image(RedMemSlotInfo *slots, int group_id,
red->u.bitmap.data = red_get_image_data_flat(slots, group_id,
qxl->bitmap.data,
bitmap_size);
if (red->u.bitmap.data == nullptr) {
goto error;
}
} else {
size = red_get_data_chunks(slots, group_id,
&chunks, qxl->bitmap.data);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment