On Mon, Nov 17, 2014 at 03:54:18PM +0100, Marc-André Lureau wrote:
> looks good, ack
>
> On Mon, Nov 17, 2014 at 3:17 PM, Christophe Fergeau <cfergeau@xxxxxxxxxx> wrote:
> > SpiceGtkSession::clipboard_received_cb() starts by checking if the
> > clipboard is empty, or if the length of its data exceeds
> > 'max-clipboard-size'.
> >
> > Later in that function, the data is modified, and can be shortened
> > (removal of trailing '\0' or of '\r' for Windows -> linux copy and
> > paste), or enlarged (addition of '\r' for linux -> Windows c&p).
> >
> > This commit adds another check that the clipboard length is still valid
> > (non-0, and not bigger than 'max-clipboard-size') after making these
> > transformations.
> > ---
> > gtk/spice-gtk-session.c | 29 ++++++++++++++++++++++-------
> > 1 file changed, 22 insertions(+), 7 deletions(-)
> >
> > diff --git a/gtk/spice-gtk-session.c b/gtk/spice-gtk-session.c
> > index 26a0ecf..ca32d28 100644
> > --- a/gtk/spice-gtk-session.c
> > +++ b/gtk/spice-gtk-session.c
> > @@ -826,6 +826,24 @@ skip_grab_clipboard:
> > return TRUE;
> > }
> >
> > +static gboolean check_clipboard_size_limits(SpiceGtkSession *session,
> > + gint clipboard_len)
> > +{
> > + int max_clipboard;
> > +
> > + g_object_get(session->priv->main, "max-clipboard", &max_clipboard, NULL);
> > + if (max_clipboard != -1 && clipboard_len > max_clipboard) {
> > + g_warning("discarded clipboard of size %d (max: %d)",
> > + clipboard_len, max_clipboard);
> > + return FALSE;
> > + } else if (clipboard_len <= 0) {
> > + SPICE_DEBUG("discarding empty clipboard");
> > + return FALSE;
> > + }
> > +
> > + return TRUE;
> > +}
> > +
> > static void clipboard_received_cb(GtkClipboard *clipboard,
> > GtkSelectionData *selection_data,
> > gpointer user_data)
> > @@ -845,18 +863,12 @@ static void clipboard_received_cb(GtkClipboard *clipboard,
> > gchar* name;
> > GdkAtom atom;
> > int selection;
> > - int max_clipboard;
> >
> > selection = get_selection_from_clipboard(s, clipboard);
> > g_return_if_fail(selection != -1);
> >
> > - g_object_get(s->main, "max-clipboard", &max_clipboard, NULL);
> > len = gtk_selection_data_get_length(selection_data);
> > - if (max_clipboard != -1 && len > max_clipboard) {
> > - g_warning("discarded clipboard of size %d (max: %d)", len, max_clipboard);
> > - return;
> > - } else if (len <= 0) {
> > - SPICE_DEBUG("discarding empty clipboard");
> > + if (!check_clipboard_size_limits(self, len)) {
> > return;
> > } else {
> > atom = gtk_selection_data_get_data_type(selection_data);
> > @@ -902,6 +914,9 @@ static void clipboard_received_cb(GtkClipboard *clipboard,
> > */
> > len = strlen((const char *)data);
> > }
> > + if (!check_clipboard_size_limits(self, len)) {
> > + return;
> > + }
> > }
Actually this potentially leaks 'conv', I'll squash
diff --git a/gtk/spice-gtk-session.c b/gtk/spice-gtk-session.c
index ca32d28..8007cf2 100644
--- a/gtk/spice-gtk-session.c
+++ b/gtk/spice-gtk-session.c
@@ -915,6 +915,7 @@ static void clipboard_received_cb(GtkClipboard *clipboard,
len = strlen((const char *)data);
}
if (!check_clipboard_size_limits(self, len)) {
+ g_free(conv);
return;
}
}
Attachment:
pgpJh51XEcHpz.pgp
Description: PGP signature
_______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel