From 1fae1191e55638ff7593e3bf2d8d14cafd884305 Mon Sep 17 00:00:00 2001
From: Qiuhao Li <Qiuhao.Li@outlook.com>
Date: Fri, 23 Apr 2021 10:10:50 +0800
Subject: [PATCH] reds: fix nullptr deref in red-parse-qxl.cpp

At red-parse-qxl.cpp#L535

        if (qxl_flags & QXL_BITMAP_DIRECT) {
            red->u.bitmap.data = red_get_image_data_flat(slots, group_id,
                                                         qxl->bitmap.data,
                                                         bitmap_size);

Since qxl->bitmap.data may from the guest, an attacker can make the
memslot_get_virt() check in red_get_image_data_flat() fail and
return a nullptr.

Then at red-parse-qxl.cpp#L550

        if (qxl_flags & QXL_BITMAP_UNSTABLE) {
            red->u.bitmap.data->flags |= SPICE_CHUNKS_FLAGS_UNSTABLE;
        }

qxl_flags is assigned as qxl->bitmap.flags before, which can also be
controlled by the attacker, resulting in a NULL pointer dereference.

This dereference seems to be introduced by commit 5ac88aa7.

Signed-off-by: Qiuhao Li <Qiuhao.Li@outlook.com>
---
 server/red-parse-qxl.cpp | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/server/red-parse-qxl.cpp b/server/red-parse-qxl.cpp
index 9724401..3575436 100644
--- a/server/red-parse-qxl.cpp
+++ b/server/red-parse-qxl.cpp
@@ -535,6 +535,9 @@ static SpiceImage *red_get_image(RedMemSlotInfo *slots, int group_id,
             red->u.bitmap.data = red_get_image_data_flat(slots, group_id,
                                                          qxl->bitmap.data,
                                                          bitmap_size);
+            if (red->u.bitmap.data == nullptr) {
+                goto error;
+            }
         } else {
             size = red_get_data_chunks(slots, group_id,
                                        &chunks, qxl->bitmap.data);
--
libgit2 1.3.0