main/spice: enable opus support

2 files changed, 119 insertions, 2 deletions

diff --git a/main/spice/APKBUILD b/main/spice/APKBUILD
index 3c8d88532..fca99cee8 100644
--- a/main/spice/APKBUILD
+++ b/main/spice/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=spice
 pkgver=0.12.6
-pkgrel=0
+pkgrel=1
 pkgdesc="Implements the SPICE protocol"
 url="http://www.spice-space.org/"
 arch="all"
@@ -11,7 +11,7 @@ depends=""
 depends_dev="spice-protocol pixman-dev celt051-dev openssl-dev libxinerama-dev"
 makedepends="$depends_dev alsa-lib-dev libjpeg-turbo-dev libxrandr-dev
 	cyrus-sasl-dev libxfixes-dev python-dev bash cegui06-dev py-parsing
-	py-six glib-dev"
+	py-six glib-dev opus-dev"
 install=""
 subpackages="$pkgname-dev $pkgname-server"
 source="http://www.spice-space.org/download/releases/spice-$pkgver.tar.bz2
@@ -41,6 +41,7 @@ build() {
 		--enable-gui \
 		--enable-client \
 		--disable-smartcard \
+		--enable-opus \
 		|| return 1
 	make -C spice-common WARN_CFLAGS='' || return 1
 	make WARN_CFLAGS='' || return 1
diff --git a/main/spice/CVE-2015-3247.patch b/main/spice/CVE-2015-3247.patch
new file mode 100644
index 000000000..47ee3c4f9
--- /dev/null
+++ b/main/spice/CVE-2015-3247.patch
@@ -0,0 +1,116 @@
+From bd6ea0db84949ac903c27708166604de892f4671 Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <fziglio@redhat.com>
+Date: Tue, 9 Jun 2015 08:50:46 +0100
+Subject: Avoid race conditions reading monitor configs from guest
+
+For security reasons do not assume guest do not change structures it
+pass to Qemu.
+Guest could change count field while Qemu is copying QXLMonitorsConfig
+structure leading to heap corruption.
+This patch avoid it reading count only once.
+
+This patch solves CVE-2015-3247.
+
+Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
+Acked-by: Christophe Fergeau <cfergeau@redhat.com>
+
+diff --git a/server/red_worker.c b/server/red_worker.c
+index 2f2d5a9..e2feb23 100644
+--- a/server/red_worker.c
++++ b/server/red_worker.c
+@@ -11222,19 +11222,18 @@ static inline void red_monitors_config_item_add(DisplayChannelClient *dcc)
+ 
+ static void worker_update_monitors_config(RedWorker *worker,
+                                           QXLMonitorsConfig *dev_monitors_config,
+-                                          unsigned int max_monitors)
++                                          uint16_t count, uint16_t max_allowed)
+ {
+     int heads_size;
+     MonitorsConfig *monitors_config;
+     int i;
+-    unsigned int count = MIN(dev_monitors_config->count, max_monitors);
+ 
+     monitors_config_decref(worker->monitors_config);
+ 
+     spice_debug("monitors config %d(%d)",
+-                dev_monitors_config->count,
+-                dev_monitors_config->max_allowed);
+-    for (i = 0; i < dev_monitors_config->count; i++) {
++                count,
++                max_allowed);
++    for (i = 0; i < count; i++) {
+         spice_debug("+%d+%d %dx%d",
+                     dev_monitors_config->heads[i].x,
+                     dev_monitors_config->heads[i].y,
+@@ -11247,7 +11246,7 @@ static void worker_update_monitors_config(RedWorker *worker,
+     monitors_config->refs = 1;
+     monitors_config->worker = worker;
+     monitors_config->count = count;
+-    monitors_config->max_allowed = MIN(dev_monitors_config->max_allowed, max_monitors);
++    monitors_config->max_allowed = max_allowed;
+     memcpy(monitors_config->heads, dev_monitors_config->heads, heads_size);
+ }
+ 
+@@ -11636,33 +11635,52 @@ void handle_dev_display_migrate(void *opaque, void *payload)
+     red_migrate_display(worker, rcc);
+ }
+ 
++static inline uint32_t qxl_monitors_config_size(uint32_t heads)
++{
++    return sizeof(QXLMonitorsConfig) + sizeof(QXLHead) * heads;
++}
++
+ static void handle_dev_monitors_config_async(void *opaque, void *payload)
+ {
+     RedWorkerMessageMonitorsConfigAsync *msg = payload;
+     RedWorker *worker = opaque;
+-    int min_size = sizeof(QXLMonitorsConfig) + sizeof(QXLHead);
+     int error;
++    uint16_t count, max_allowed;
+     QXLMonitorsConfig *dev_monitors_config =
+         (QXLMonitorsConfig*)get_virt(&worker->mem_slots, msg->monitors_config,
+-                                     min_size, msg->group_id, &error);
++                                     qxl_monitors_config_size(1),
++                                     msg->group_id, &error);
+ 
+     if (error) {
+         /* TODO: raise guest bug (requires added QXL interface) */
+         return;
+     }
+     worker->driver_cap_monitors_config = 1;
+-    if (dev_monitors_config->count == 0) {
++    count = dev_monitors_config->count;
++    max_allowed = dev_monitors_config->max_allowed;
++    if (count == 0) {
+         spice_warning("ignoring an empty monitors config message from driver");
+         return;
+     }
+-    if (dev_monitors_config->count > dev_monitors_config->max_allowed) {
++    if (count > max_allowed) {
+         spice_warning("ignoring malformed monitors_config from driver, "
+                       "count > max_allowed %d > %d",
+-                      dev_monitors_config->count,
+-                      dev_monitors_config->max_allowed);
++                      count,
++                      max_allowed);
++        return;
++    }
++    /* get pointer again to check virtual size */
++    dev_monitors_config =
++        (QXLMonitorsConfig*)get_virt(&worker->mem_slots, msg->monitors_config,
++                                     qxl_monitors_config_size(count),
++                                     msg->group_id, &error);
++    if (error) {
++        /* TODO: raise guest bug (requires added QXL interface) */
+         return;
+     }
+-    worker_update_monitors_config(worker, dev_monitors_config, msg->max_monitors);
++    worker_update_monitors_config(worker, dev_monitors_config,
++                                  MIN(count, msg->max_monitors),
++                                  MIN(max_allowed, msg->max_monitors));
+     red_worker_push_monitors_config(worker);
+ }
+ 
+-- 
+cgit v0.10.2
+