[Spice-commits] src/vmcstream.c
GitLab Mirror
gitlab-mirror at kemper.freedesktop.org
Fri Jun 14 13:12:31 UTC 2019
src/vmcstream.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
New commits:
commit c188c382afcad1a054541f8b101fa1044e2289cf
Author: Frediano Ziglio <fziglio at redhat.com>
Date: Sun Jun 2 19:02:25 2019 +0100
vmcstream: Fix buffer overflow sending data to task
The "count" variable is used to store the full length of the
initial buffer set using spice_vmc_input_stream_read_all_async or
spice_vmc_input_stream_read_async.
However on spice_vmc_input_stream_co_data the "buffer" variable is
increased by the amount read into it.
On potential next loop "count" is still used to compute the bytes to
read but now "buffer + count" points past the original buffer.
So we need to take into account the position written in order to
compute the right limit.
Tested with WebDAV.
https://bugzilla.redhat.com/show_bug.cgi?id=1720532
Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
Acked-by: Marc-André Lureau <marcandre.lureau at redhat.com>
diff --git a/src/vmcstream.c b/src/vmcstream.c
index 0634bce..86c949a 100644
--- a/src/vmcstream.c
+++ b/src/vmcstream.c
@@ -142,17 +142,16 @@ spice_vmc_input_stream_co_data(SpiceVmcInputStream *self,
g_return_if_fail(self->task != NULL);
- gsize min = MIN(self->count, size);
- memcpy(self->buffer, data, min);
+ gsize min = MIN(self->count - self->pos, size);
+ memcpy(self->buffer + self->pos, data, min);
size -= min;
data += min;
- SPICE_DEBUG("spicevmc co_data complete: %" G_GSIZE_FORMAT
- "/%" G_GSIZE_FORMAT, min, self->count);
-
self->pos += min;
- self->buffer += min;
+
+ SPICE_DEBUG("spicevmc co_data complete: %" G_GSIZE_FORMAT
+ "/%" G_GSIZE_FORMAT, self->pos, self->count);
if (self->all && min > 0 && self->pos != self->count)
continue;
More information about the Spice-commits
mailing list