main/spice/CVE-2018-10873.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67

https://gitlab.freedesktop.org/spice/spice-common/commit/bb15d4815ab586b4c4a20f4a565970a44824c42c

diff --git a/spice-common/python_modules/demarshal.py b/python_modules/demarshal.py
index 7b53361..5a237a6 100644
--- a/spice-common/python_modules/demarshal.py
+++ b/spice-common/python_modules/demarshal.py
@@ -331,6 +331,7 @@ def write_validate_array_item(writer, container, item, scope, parent_scope, star
         writer.assign(nelements, array.size)
     elif array.is_remaining_length():
         if element_type.is_fixed_nw_size():
+            writer.error_check("%s > message_end" % item.get_position())
             if element_type.get_fixed_nw_size() == 1:
                 writer.assign(nelements, "message_end - %s" % item.get_position())
             else:
diff --git a/tests/test-marshallers.c b/tests/test-marshallers.c
index ad45e36..02fbcd1 100644
--- a/spice-common/tests/test-marshallers.c
+++ b/spice-common/tests/test-marshallers.c
@@ -150,6 +150,14 @@ int main(int argc G_GNUC_UNUSED, char **argv G_GNUC_UNUSED)
 
     test_overflow(marshaller);
 
+    len = 4;
+    data = g_new0(uint8_t, len);
+    memset(data, 0, len);
+    msg = (SpiceMsgMainShortDataSubMarshall *) spice_parse_msg(data, data + len, 1, 3, 0,
+                                                               &msg_len, &free_message);
+    g_assert_null(msg);
+    g_free(data);
+
     spice_marshaller_destroy(marshaller);
 
     return 0;
diff --git a/tests/test-marshallers.h b/tests/test-marshallers.h
index 99877c0..4eab90f 100644
--- a/spice-common/tests/test-marshallers.h
+++ b/spice-common/tests/test-marshallers.h
@@ -21,5 +21,10 @@ typedef struct SpiceMsgChannels {
     uint16_t channels[0];
 } SpiceMsgChannels;
 
+typedef struct {
+    uint32_t dummy[2];
+    uint8_t data[0];
+} SpiceMsgMainLenMessage;
+
 #endif /* _H_TEST_MARSHALLERS */
 
diff --git a/tests/test-marshallers.proto b/tests/test-marshallers.proto
index c75134e..34cc892 100644
--- a/spice-common/tests/test-marshallers.proto
+++ b/spice-common/tests/test-marshallers.proto
@@ -19,6 +19,11 @@ channel TestChannel {
         uint32 num_of_channels;
         uint16 channels[num_of_channels] @end;
     } @ctype(SpiceMsgChannels) channels_list;
+
+    message {
+        uint32 dummy[2];
+        uint8 data[] @end;
+    } LenMessage;
 };
 
 protocol Spice {
-- 
2.17.1