[Spice-devel] [spice-gtk v1 2/2] vmcstream: consider incomplete messages

[Victor Toso]

From: Victor Toso <me at victortoso.com>

spice_vmc_input_stream_co_data() is called with the payload of
message ($data) and this buffer size ($size).

The client of this demux reads each parameter using
spice_vmc_input_stream_read_all_async() by passing the size of the
message that it wants which is stored in self->count.

This patch fixes the demux code as it does not consider that requested
message from client could be bigger then what was received initially
on spice_vmc_input_stream_co_data().

This patch fixes together with previous patch, fixes a crash reported
on rhbz#1474074 with backtrace:

> #0 g_socket_create_source at gsocket.c:3700
> #1 g_coroutine_socket_wait at gio-coroutine.c:59
> #2 spice_channel_iterate_read at spice-channel.c:2246
> #3 spice_channel_iterate at spice-channel.c:2291
> #4 spice_channel_coroutine at spice-channel.c:2583
> #5 coroutine_trampoline at coroutine_ucontext.c:63
> #6 continuation_trampoline at continuation.c:55

Reproducer for this is the same as given in previous patch but using a
Windows 7 VM with spice-webdavd installed.

Note that the message from spice-webdavd is bogus here but client
should not crash.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1474074

Signed-off-by: Victor Toso <victortoso at redhat.com>
---
 src/vmcstream.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/vmcstream.c b/src/vmcstream.c
index 0634bce..7ea8c7f 100644
--- a/src/vmcstream.c
+++ b/src/vmcstream.c
@@ -142,7 +142,7 @@ spice_vmc_input_stream_co_data(SpiceVmcInputStream *self,
 
         g_return_if_fail(self->task != NULL);
 
-        gsize min = MIN(self->count, size);
+        gsize min = MIN(self->count - self->pos, size);
         memcpy(self->buffer, data, min);
 
         size -= min;
-- 
2.13.0