From bed2d95ccd1aba688dd1e6c76c21afef59ba4341 Mon Sep 17 00:00:00 2001
From: Geoffrey McRae <geoff@hostfission.com>
Date: Sat, 25 Nov 2017 20:21:57 +1100
Subject: [PATCH] [client] added checks for invalid offsets by the guest

---
 client/main.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/client/main.c b/client/main.c
index 2e9be0ed..fba24e12 100644
--- a/client/main.c
+++ b/client/main.c
@@ -50,6 +50,7 @@ struct AppState
   SDL_Window          * window;
   SDL_Renderer        * renderer;
   struct KVMGFXHeader * shm;
+  unsigned int          shmSize;
 };
 
 struct AppParams
@@ -216,6 +217,13 @@ int renderThread(void * unused)
         // calculate the texture size in bytes
         texSize = state.shm->width * state.shm->stride * bpp;
 
+        // ensure the size makes sense
+        if (state.shm->dataPos + texSize > state.shmSize)
+        {
+          DEBUG_ERROR("The guest sent an invalid dataPos");
+          break;
+        }
+
         // setup two buffers so we don't have to use fences
         glGenBuffers(2, vboID);
         for (int i = 0; i < 2; ++i)
@@ -273,6 +281,15 @@ int renderThread(void * unused)
       state.windowChanged = true;
     }
 
+    // final sanity checks on the data presented by the guest
+    // this is critical as the guest could overflow this buffer to
+    // try to take control of the host
+    if (state.shm->dataPos + texSize > state.shmSize)
+    {
+      DEBUG_ERROR("The guest sent an invalid dataPos");
+      break;
+    }
+
     SDL_RenderClear(state.renderer);
     if (state.hasBufferStorage)
     {
@@ -630,6 +647,7 @@ int run()
       DEBUG_ERROR("Failed to map memory");
       break;
     }
+    state.shmSize     = ivshmem_get_map_size();
     state.shm->hostID = ivshmem_get_id();
 
     if (params.useSpice)