From: Victor Toso <me@xxxxxxxxxxxxxx> spice_vmc_input_stream_co_data() is called with the payload of message ($data) and this buffer size ($size). The client of this demux reads each parameter using spice_vmc_input_stream_read_all_async() by passing the size of the message that it wants which is stored in self->count. This patch fixes the demux code as it does not consider that requested message from client could be bigger then what was received initially on spice_vmc_input_stream_co_data(). This patch fixes together with previous patch, fixes a crash reported on rhbz#1474074 with backtrace: > #0 g_socket_create_source at gsocket.c:3700 > #1 g_coroutine_socket_wait at gio-coroutine.c:59 > #2 spice_channel_iterate_read at spice-channel.c:2246 > #3 spice_channel_iterate at spice-channel.c:2291 > #4 spice_channel_coroutine at spice-channel.c:2583 > #5 coroutine_trampoline at coroutine_ucontext.c:63 > #6 continuation_trampoline at continuation.c:55 Reproducer for this is the same as given in previous patch but using a Windows 7 VM with spice-webdavd installed. Note that the message from spice-webdavd is bogus here but client should not crash. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1474074 Signed-off-by: Victor Toso <victortoso@xxxxxxxxxx> --- src/vmcstream.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/vmcstream.c b/src/vmcstream.c index 0634bce..7ea8c7f 100644 --- a/src/vmcstream.c +++ b/src/vmcstream.c @@ -142,7 +142,7 @@ spice_vmc_input_stream_co_data(SpiceVmcInputStream *self, g_return_if_fail(self->task != NULL); - gsize min = MIN(self->count, size); + gsize min = MIN(self->count - self->pos, size); memcpy(self->buffer, data, min); size -= min; -- 2.13.0 _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/spice-devel