oss-sec mailing list archives
Re: spice CVE-2018-10873: post-auth crash or potential heap corruption when demarshalling
From: Florian Weimer <fweimer () redhat com>
Date: Fri, 17 Aug 2018 10:03:40 +0200
On 08/17/2018 02:51 AM, Doran Moppert wrote:
+ if (SPICE_UNLIKELY((start + 2) > message_end)) { + goto error; + }
These checks are still technically invalid because start + 2 is not a valid pointer if it points past the allocated object.
This is more problematic here:
+ if (SPICE_UNLIKELY((start2 + 2 + cursor_u__nw_size) > message_end)) { + goto error; + }
If cursor_u__nw_size results in pointer wraparound, the check might fail incorrectly.
The commit message quotes the right pattern, nw_size > (uintptr_t) (message_end - start), but it is not used in the actual code AFAICS.
Thanks, Florian
Current thread:
- spice CVE-2018-10873: post-auth crash or potential heap corruption when demarshalling Doran Moppert (Aug 16)
- Re: spice CVE-2018-10873: post-auth crash or potential heap corruption when demarshalling Florian Weimer (Aug 17)
- Re: spice CVE-2018-10873: post-auth crash or potential heap corruption when demarshalling Frediano Ziglio (Aug 17)
- Re: spice CVE-2018-10873: post-auth crash or potential heap corruption when demarshalling Jeffrey Walton (Aug 17)
- Re: spice CVE-2018-10873: post-auth crash or potential heap corruption when demarshalling Frediano Ziglio (Aug 17)
- Re: spice CVE-2018-10873: post-auth crash or potential heap corruption when demarshalling Florian Weimer (Aug 17)