From c188c382afcad1a054541f8b101fa1044e2289cf Mon Sep 17 00:00:00 2001

From: Frediano Ziglio <fziglio@redhat.com>

Date: Sun, 2 Jun 2019 19:02:25 +0100

Subject: [PATCH spice-gtk] vmcstream: Fix buffer overflow sending data to task

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

The "count" variable is used to store the full length of the

initial buffer set using spice_vmc_input_stream_read_all_async or

spice_vmc_input_stream_read_async.

However on spice_vmc_input_stream_co_data the "buffer" variable is

increased by the amount read into it.

On potential next loop "count" is still used to compute the bytes to

read but now "buffer + count" points past the original buffer.

So we need to take into account the position written in order to

compute the right limit.

Tested with WebDAV.

https://bugzilla.redhat.com/show_bug.cgi?id=1720532

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>

Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com>

---

 src/vmcstream.c | 11 +++++------

 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/src/vmcstream.c b/src/vmcstream.c

index 0634bce..86c949a 100644

--- a/src/vmcstream.c

+++ b/src/vmcstream.c

@@ -142,17 +142,16 @@ spice_vmc_input_stream_co_data(SpiceVmcInputStream *self,

         g_return_if_fail(self->task != NULL);

-        gsize min = MIN(self->count, size);

-        memcpy(self->buffer, data, min);

+        gsize min = MIN(self->count - self->pos, size);

+        memcpy(self->buffer + self->pos, data, min);

         size -= min;

         data += min;

-        SPICE_DEBUG("spicevmc co_data complete: %" G_GSIZE_FORMAT

-                    "/%" G_GSIZE_FORMAT, min, self->count);

-

         self->pos += min;

-        self->buffer += min;

+

+        SPICE_DEBUG("spicevmc co_data complete: %" G_GSIZE_FORMAT

+                    "/%" G_GSIZE_FORMAT, self->pos, self->count);

         if (self->all && min > 0 && self->pos != self->count)

             continue;

-- 

2.22.0.rc2.384.g1a9a72ea1d