----- Original Message ----- > From: Victor Toso <me@xxxxxxxxxxxxxx> > > spice_vmc_input_stream_co_data() is called with the payload of > message ($data) and this buffer size ($size). > > The client of this demux reads each parameter using > spice_vmc_input_stream_read_all_async() by passing the size of the > message that it wants which is stored in self->count. > > This patch fixes the demux code as it does not consider that requested > message from client could be bigger then what was received initially > on spice_vmc_input_stream_co_data(). > > This patch fixes together with previous patch, fixes a crash reported > on rhbz#1474074 with backtrace: > > > #0 g_socket_create_source at gsocket.c:3700 > > #1 g_coroutine_socket_wait at gio-coroutine.c:59 > > #2 spice_channel_iterate_read at spice-channel.c:2246 > > #3 spice_channel_iterate at spice-channel.c:2291 > > #4 spice_channel_coroutine at spice-channel.c:2583 > > #5 coroutine_trampoline at coroutine_ucontext.c:63 > > #6 continuation_trampoline at continuation.c:55 > > Reproducer for this is the same as given in previous patch but using a > Windows 7 VM with spice-webdavd installed. > > Note that the message from spice-webdavd is bogus here but client > should not crash. > > Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1474074 > > Signed-off-by: Victor Toso <victortoso@xxxxxxxxxx> > --- > src/vmcstream.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/src/vmcstream.c b/src/vmcstream.c > index 0634bce..7ea8c7f 100644 > --- a/src/vmcstream.c > +++ b/src/vmcstream.c > @@ -142,7 +142,7 @@ spice_vmc_input_stream_co_data(SpiceVmcInputStream *self, > > g_return_if_fail(self->task != NULL); > > - gsize min = MIN(self->count, size); > + gsize min = MIN(self->count - self->pos, size); Looks right, good one, ACK > memcpy(self->buffer, data, min); > > size -= min; > -- > 2.13.0 > > _______________________________________________ > Spice-devel mailing list > Spice-devel@xxxxxxxxxxxxxxxxxxxxx > https://lists.freedesktop.org/mailman/listinfo/spice-devel > _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/spice-devel