From c188c382afcad1a054541f8b101fa1044e2289cf Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Sun, 2 Jun 2019 19:02:25 +0100 Subject: [PATCH spice-gtk] vmcstream: Fix buffer overflow sending data to task MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The "count" variable is used to store the full length of the initial buffer set using spice_vmc_input_stream_read_all_async or spice_vmc_input_stream_read_async. However on spice_vmc_input_stream_co_data the "buffer" variable is increased by the amount read into it. On potential next loop "count" is still used to compute the bytes to read but now "buffer + count" points past the original buffer. So we need to take into account the position written in order to compute the right limit. Tested with WebDAV. https://bugzilla.redhat.com/show_bug.cgi?id=1720532 Signed-off-by: Frediano Ziglio Acked-by: Marc-André Lureau --- src/vmcstream.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/src/vmcstream.c b/src/vmcstream.c index 0634bce..86c949a 100644 --- a/src/vmcstream.c +++ b/src/vmcstream.c @@ -142,17 +142,16 @@ spice_vmc_input_stream_co_data(SpiceVmcInputStream *self, g_return_if_fail(self->task != NULL); - gsize min = MIN(self->count, size); - memcpy(self->buffer, data, min); + gsize min = MIN(self->count - self->pos, size); + memcpy(self->buffer + self->pos, data, min); size -= min; data += min; - SPICE_DEBUG("spicevmc co_data complete: %" G_GSIZE_FORMAT - "/%" G_GSIZE_FORMAT, min, self->count); - self->pos += min; - self->buffer += min; + + SPICE_DEBUG("spicevmc co_data complete: %" G_GSIZE_FORMAT + "/%" G_GSIZE_FORMAT, self->pos, self->count); if (self->all && min > 0 && self->pos != self->count) continue; -- 2.22.0.rc2.384.g1a9a72ea1d