Sophie: spice-0.12.5-2.4.mga5 src

spice-0.12.5-2.4.mga5.src.rpm

From c2cdd1daf8edceec8adbb456dca656efe3648eec Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Thu, 17 Sep 2015 14:28:36 +0100
Subject: [PATCH 56/57] Prevent data_size to be set independently from data

There was not check for data_size field so one could set data to
a small set of data and data_size much bigger than size of data
leading to buffer overflow.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
---
 server/red_parse_qxl.c | 1 +
 1 file changed, 1 insertion(+)

Index: spice-0.12.5/server/red_parse_qxl.c
===================================================================
--- spice-0.12.5.orig/server/red_parse_qxl.c	2015-10-01 07:19:07.173314864 -0400
+++ spice-0.12.5/server/red_parse_qxl.c	2015-10-01 07:19:07.169314897 -0400
@@ -1392,6 +1392,7 @@
     size = red_get_data_chunks_ptr(slots, group_id,
                                    get_memslot_id(slots, addr),
                                    &chunks, &qxl->chunk);
+    red->data_size = MIN(red->data_size, size);
     data = red_linearize_chunk(&chunks, size, &free_data);
     red_put_data_chunks(&chunks);
     if (free_data) {