From c25361c4d8e41b41a9b4d1bb874f5257ec72d96e Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 30 2018 04:54:25 +0000 Subject: import spice-gtk-0.35-2.el7 --- diff --git a/.gitignore b/.gitignore index 872dbc9..dbed308 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/spice-gtk-0.34.tar.bz2 +SOURCES/spice-gtk-0.35.tar.bz2 diff --git a/.spice-gtk.metadata b/.spice-gtk.metadata index 2724ef6..25d362a 100644 --- a/.spice-gtk.metadata +++ b/.spice-gtk.metadata @@ -1 +1 @@ -e588a87a3e52e79971973cd828730cf64787cef4 SOURCES/spice-gtk-0.34.tar.bz2 +ce859f77e625928a147b7ae73e5af45166861d16 SOURCES/spice-gtk-0.35.tar.bz2 diff --git a/SOURCES/0001-Fix-flexible-array-buffer-overflow.patch b/SOURCES/0001-Fix-flexible-array-buffer-overflow.patch new file mode 100644 index 0000000..94c4ec5 --- /dev/null +++ b/SOURCES/0001-Fix-flexible-array-buffer-overflow.patch @@ -0,0 +1,298 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Fri, 18 May 2018 11:41:57 +0100 +Subject: [PATCH] Fix flexible array buffer overflow + +This is kind of a DoS, possibly flexible array in the protocol +causes the network size check to be ignored due to integer overflows. + +The size of flexible array is computed as (message_end - position), +then this size is added to the number of bytes before the array and +this number is used to check if we overflow initial message. + +An example is: + + message { + uint32 dummy[2]; + uint8 data[] @end; + } LenMessage; + +which generated this (simplified remove useless code) code: + + { /* data */ + data__nelements = message_end - (start + 8); + + data__nw_size = data__nelements; + } + + nw_size = 8 + data__nw_size; + + /* Check if message fits in reported side */ + if (nw_size > (uintptr_t) (message_end - start)) { + return NULL; + } + +Following code: +- data__nelements == message_end - (start + 8) +- data__nw_size == data__nelements == message_end - (start + 8) +- nw_size == 8 + data__nw_size == 8 + message_end - (start + 8) == + 8 + message_end - start - 8 == message_end -start +- the check for overflow is (nw_size > (message_end - start)) but + nw_size == message_end - start so the check is doing + ((message_end - start) > (message_end - start)) which is always false. + +If message_end - start < 8 then data__nelements (number of element +on the array above) computation generate an integer underflow that +later create a buffer overflow. + +Add a check to make sure that the array starts before the message ends +to avoid the overflow. + +Difference is: + diff -u save/generated_client_demarshallers1.c common/generated_client_demarshallers1.c + - - save/generated_client_demarshallers1.c 2018-06-22 22:13:48.626793919 +0100 + + + common/generated_client_demarshallers1.c 2018-06-22 22:14:03.408163291 +0100 + @@ -225,6 +225,9 @@ + uint64_t data__nelements; + + { /* data */ + + if (SPICE_UNLIKELY((start + 0) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 0); + + data__nw_size = data__nelements; + @@ -243,6 +246,9 @@ + *free_message = nofree; + return data; + + + error: + + free(data); + + return NULL; + } + + static uint8_t * parse_msg_set_ack(uint8_t *message_start, uint8_t *message_end, SPICE_GNUC_UNUSED int minor, size_t *size, message_destructor_t *free_message) + @@ -301,6 +307,9 @@ + SpiceMsgPing *out; + + { /* data */ + + if (SPICE_UNLIKELY((start + 12) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 12); + + data__nw_size = data__nelements; + @@ -5226,6 +5235,9 @@ + uint64_t cursor_data__nw_size; + uint64_t cursor_data__nelements; + { /* data */ + + if (SPICE_UNLIKELY((start2 + 22) > message_end)) { + + goto error; + + } + cursor_data__nelements = message_end - (start2 + 22); + + cursor_data__nw_size = cursor_data__nelements; + @@ -5305,6 +5317,9 @@ + uint64_t cursor_data__nw_size; + uint64_t cursor_data__nelements; + { /* data */ + + if (SPICE_UNLIKELY((start2 + 22) > message_end)) { + + goto error; + + } + cursor_data__nelements = message_end - (start2 + 22); + + cursor_data__nw_size = cursor_data__nelements; + @@ -5540,6 +5555,9 @@ + SpiceMsgPlaybackPacket *out; + + { /* data */ + + if (SPICE_UNLIKELY((start + 4) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 4); + + data__nw_size = data__nelements; + @@ -5594,6 +5612,9 @@ + SpiceMsgPlaybackMode *out; + + { /* data */ + + if (SPICE_UNLIKELY((start + 8) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 8); + + data__nw_size = data__nelements; + diff -u save/generated_client_demarshallers.c common/generated_client_demarshallers.c + - - save/generated_client_demarshallers.c 2018-06-22 22:13:48.626793919 +0100 + + + common/generated_client_demarshallers.c 2018-06-22 22:14:03.004153195 +0100 + @@ -225,6 +225,9 @@ + uint64_t data__nelements; + + { /* data */ + + if (SPICE_UNLIKELY((start + 0) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 0); + + data__nw_size = data__nelements; + @@ -243,6 +246,9 @@ + *free_message = nofree; + return data; + + + error: + + free(data); + + return NULL; + } + + static uint8_t * parse_msg_set_ack(uint8_t *message_start, uint8_t *message_end, SPICE_GNUC_UNUSED int minor, size_t *size, message_destructor_t *free_message) + @@ -301,6 +307,9 @@ + SpiceMsgPing *out; + + { /* data */ + + if (SPICE_UNLIKELY((start + 12) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 12); + + data__nw_size = data__nelements; + @@ -6574,6 +6583,9 @@ + } + + { /* data */ + + if (SPICE_UNLIKELY((start2 + 2 + cursor_u__nw_size) > message_end)) { + + goto error; + + } + cursor_data__nelements = message_end - (start2 + 2 + cursor_u__nw_size); + + cursor_data__nw_size = cursor_data__nelements; + @@ -6670,6 +6682,9 @@ + } + + { /* data */ + + if (SPICE_UNLIKELY((start2 + 2 + cursor_u__nw_size) > message_end)) { + + goto error; + + } + cursor_data__nelements = message_end - (start2 + 2 + cursor_u__nw_size); + + cursor_data__nw_size = cursor_data__nelements; + @@ -6907,6 +6922,9 @@ + SpiceMsgPlaybackPacket *out; + + { /* data */ + + if (SPICE_UNLIKELY((start + 4) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 4); + + data__nw_size = data__nelements; + @@ -6961,6 +6979,9 @@ + SpiceMsgPlaybackMode *out; + + { /* data */ + + if (SPICE_UNLIKELY((start + 6) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 6); + + data__nw_size = data__nelements; + @@ -7559,6 +7580,9 @@ + SpiceMsgTunnelSocketData *out; + + { /* data */ + + if (SPICE_UNLIKELY((start + 2) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 2); + + data__nw_size = data__nelements; + @@ -7840,6 +7864,9 @@ + } + + { /* compressed_data */ + + if (SPICE_UNLIKELY((start + 1 + u__nw_size) > message_end)) { + + goto error; + + } + compressed_data__nelements = message_end - (start + 1 + u__nw_size); + + compressed_data__nw_size = compressed_data__nelements; + diff -u save/generated_server_demarshallers.c common/generated_server_demarshallers.c + - - save/generated_server_demarshallers.c 2018-06-22 22:13:48.627793944 +0100 + + + common/generated_server_demarshallers.c 2018-06-22 22:14:05.231208847 +0100 + @@ -306,6 +306,9 @@ + uint64_t data__nelements; + + { /* data */ + + if (SPICE_UNLIKELY((start + 0) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 0); + + data__nw_size = data__nelements; + @@ -324,6 +327,9 @@ + *free_message = nofree; + return data; + + + error: + + free(data); + + return NULL; + } + + static uint8_t * parse_msgc_disconnecting(uint8_t *message_start, uint8_t *message_end, SPICE_GNUC_UNUSED int minor, size_t *size, message_destructor_t *free_message) + @@ -1259,6 +1265,9 @@ + SpiceMsgcRecordPacket *out; + + { /* data */ + + if (SPICE_UNLIKELY((start + 4) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 4); + + data__nw_size = data__nelements; + @@ -1313,6 +1322,9 @@ + SpiceMsgcRecordMode *out; + + { /* data */ + + if (SPICE_UNLIKELY((start + 6) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 6); + + data__nw_size = data__nelements; + @@ -1841,6 +1853,9 @@ + SpiceMsgcTunnelSocketData *out; + + { /* data */ + + if (SPICE_UNLIKELY((start + 2) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 2); + + data__nw_size = data__nelements; + @@ -2057,6 +2072,9 @@ + } + + { /* compressed_data */ + + if (SPICE_UNLIKELY((start + 1 + u__nw_size) > message_end)) { + + goto error; + + } + compressed_data__nelements = message_end - (start + 1 + u__nw_size); + + compressed_data__nw_size = compressed_data__nelements; + +Signed-off-by: Frediano Ziglio +--- + spice-common/python_modules/demarshal.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/spice-common/python_modules/demarshal.py b/spice-common/python_modules/demarshal.py +index 1ea131d..7172762 100644 +--- a/spice-common/python_modules/demarshal.py ++++ b/spice-common/python_modules/demarshal.py +@@ -318,6 +318,7 @@ def write_validate_array_item(writer, container, item, scope, parent_scope, star + writer.assign(nelements, array.size) + elif array.is_remaining_length(): + if element_type.is_fixed_nw_size(): ++ writer.error_check("%s > message_end" % item.get_position()) + if element_type.get_fixed_nw_size() == 1: + writer.assign(nelements, "message_end - %s" % item.get_position()) + else: diff --git a/SOURCES/0001-canvas-base-Fix-width-computation-for-palette-images.patch b/SOURCES/0001-canvas-base-Fix-width-computation-for-palette-images.patch deleted file mode 100644 index 350839c..0000000 --- a/SOURCES/0001-canvas-base-Fix-width-computation-for-palette-images.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 3b4759ce15325e2de1b473d619b69ae786c2fcec Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio -Date: Thu, 21 Dec 2017 15:54:04 +0000 -Subject: [PATCH spice-common] canvas-base: Fix width computation for palette - images - -Palette images are encoded with a slightly larger pixel than -width. This cause a wrong calculation of stride_encoded value -which cause a wrong stride adjustment. - -This fix bug https://bugzilla.redhat.com/show_bug.cgi?id=1508847. - -Signed-off-by: Frediano Ziglio ---- - common/canvas_base.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/common/canvas_base.c b/common/canvas_base.c -index a9d7855..2ecd276 100644 ---- a/spice-common/common/canvas_base.c -+++ b/spice-common/common/canvas_base.c -@@ -824,7 +824,7 @@ static pixman_image_t *canvas_get_lz(CanvasBase *canvas, SpiceImage *image, - lz_decode_begin(lz_data->lz, comp_buf, comp_size, &type, - &width, &height, &n_comp_pixels, &top_down, palette); - -- stride_encoded = width; -+ stride_encoded = n_comp_pixels / height; - switch (type) { - case LZ_IMAGE_TYPE_RGBA: - as_type = LZ_IMAGE_TYPE_RGBA; --- -2.14.3 - diff --git a/SOURCES/0002-Revert-channel-usbredir-Fix-crash-on-channel-up.patch b/SOURCES/0002-Revert-channel-usbredir-Fix-crash-on-channel-up.patch deleted file mode 100644 index b732d25..0000000 --- a/SOURCES/0002-Revert-channel-usbredir-Fix-crash-on-channel-up.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Victor Toso -Date: Mon, 11 Jun 2018 12:14:30 +0200 -Subject: [PATCH] Revert "channel-usbredir: Fix crash on channel-up" - -This reverts commit 291f3e4419e6fb4077ae43a5e09eb1c37b9dd729. - -Follow up patch should address rhbz#1399838 mentioned in commit above -in a different way. - -Major reason to revert is that the SpiceUsbDeviceManager object is -kept in SpiceSession as an easy way to share it between different -SpiceUsbredirChannel while SpiceSession itself does not use it. This -causes problems on migration as we start a new session with a new -SpiceUsbDeviceManager object while the previous one still exists. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1558043 -Signed-off-by: Victor Toso -Acked-by: Christophe Fergeau ---- - src/spice-session.c | 7 ------- - 1 file changed, 7 deletions(-) - -diff --git a/src/spice-session.c b/src/spice-session.c -index a729cc3..094dc41 100644 ---- a/src/spice-session.c -+++ b/src/spice-session.c -@@ -281,7 +281,6 @@ static void spice_session_init(SpiceSession *session) - { - SpiceSessionPrivate *s; - gchar *channels; -- GError *err = NULL; - - SPICE_DEBUG("New session (compiled from package " PACKAGE_STRING ")"); - s = session->priv = SPICE_SESSION_GET_PRIVATE(session); -@@ -294,12 +293,6 @@ static void spice_session_init(SpiceSession *session) - s->images = cache_image_new((GDestroyNotify)pixman_image_unref); - s->glz_window = glz_decoder_window_new(); - update_proxy(session, NULL); -- -- s->usb_manager = spice_usb_device_manager_get(session, &err); -- if (err != NULL) { -- SPICE_DEBUG("Could not initialize SpiceUsbDeviceManager - %s", err->message); -- g_clear_error(&err); -- } - } - - static void diff --git a/SOURCES/0003-channel-usbredir-Fix-crash-on-channel-up.patch b/SOURCES/0003-channel-usbredir-Fix-crash-on-channel-up.patch deleted file mode 100644 index 06f321e..0000000 --- a/SOURCES/0003-channel-usbredir-Fix-crash-on-channel-up.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Victor Toso -Date: Fri, 6 Apr 2018 09:59:44 +0200 -Subject: [PATCH] channel-usbredir: Fix crash on channel-up - -By adding a guard to not handle channel-up on SpiceUsbredirChannel in -case struct usbredirhost wasn't initialized yet. Same guard is in -place for the generic usbredir_handle_msg() function to avoid handling -Server's message while Client's initialization is not done. - -As mentioned in commit 291f3e4419e6, this isn't a problem for -graphical clients as some initialization is done to present the -shareable usb devices to user. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1399838 -Signed-off-by: Victor Toso -Acked-by: Christophe Fergeau ---- - src/channel-usbredir.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/channel-usbredir.c b/src/channel-usbredir.c -index 1f791bc..306bdd5 100644 ---- a/src/channel-usbredir.c -+++ b/src/channel-usbredir.c -@@ -817,6 +817,7 @@ static void spice_usbredir_channel_up(SpiceChannel *c) - SpiceUsbredirChannel *channel = SPICE_USBREDIR_CHANNEL(c); - SpiceUsbredirChannelPrivate *priv = channel->priv; - -+ g_return_if_fail(priv->host != NULL); - /* Flush any pending writes */ - usbredirhost_write_guest_data(priv->host); - } diff --git a/SOURCES/0004-Fix-flexible-array-buffer-overflow.patch b/SOURCES/0004-Fix-flexible-array-buffer-overflow.patch deleted file mode 100644 index 94c4ec5..0000000 --- a/SOURCES/0004-Fix-flexible-array-buffer-overflow.patch +++ /dev/null @@ -1,298 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio -Date: Fri, 18 May 2018 11:41:57 +0100 -Subject: [PATCH] Fix flexible array buffer overflow - -This is kind of a DoS, possibly flexible array in the protocol -causes the network size check to be ignored due to integer overflows. - -The size of flexible array is computed as (message_end - position), -then this size is added to the number of bytes before the array and -this number is used to check if we overflow initial message. - -An example is: - - message { - uint32 dummy[2]; - uint8 data[] @end; - } LenMessage; - -which generated this (simplified remove useless code) code: - - { /* data */ - data__nelements = message_end - (start + 8); - - data__nw_size = data__nelements; - } - - nw_size = 8 + data__nw_size; - - /* Check if message fits in reported side */ - if (nw_size > (uintptr_t) (message_end - start)) { - return NULL; - } - -Following code: -- data__nelements == message_end - (start + 8) -- data__nw_size == data__nelements == message_end - (start + 8) -- nw_size == 8 + data__nw_size == 8 + message_end - (start + 8) == - 8 + message_end - start - 8 == message_end -start -- the check for overflow is (nw_size > (message_end - start)) but - nw_size == message_end - start so the check is doing - ((message_end - start) > (message_end - start)) which is always false. - -If message_end - start < 8 then data__nelements (number of element -on the array above) computation generate an integer underflow that -later create a buffer overflow. - -Add a check to make sure that the array starts before the message ends -to avoid the overflow. - -Difference is: - diff -u save/generated_client_demarshallers1.c common/generated_client_demarshallers1.c - - - save/generated_client_demarshallers1.c 2018-06-22 22:13:48.626793919 +0100 - + + common/generated_client_demarshallers1.c 2018-06-22 22:14:03.408163291 +0100 - @@ -225,6 +225,9 @@ - uint64_t data__nelements; - - { /* data */ - + if (SPICE_UNLIKELY((start + 0) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 0); - - data__nw_size = data__nelements; - @@ -243,6 +246,9 @@ - *free_message = nofree; - return data; - - + error: - + free(data); - + return NULL; - } - - static uint8_t * parse_msg_set_ack(uint8_t *message_start, uint8_t *message_end, SPICE_GNUC_UNUSED int minor, size_t *size, message_destructor_t *free_message) - @@ -301,6 +307,9 @@ - SpiceMsgPing *out; - - { /* data */ - + if (SPICE_UNLIKELY((start + 12) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 12); - - data__nw_size = data__nelements; - @@ -5226,6 +5235,9 @@ - uint64_t cursor_data__nw_size; - uint64_t cursor_data__nelements; - { /* data */ - + if (SPICE_UNLIKELY((start2 + 22) > message_end)) { - + goto error; - + } - cursor_data__nelements = message_end - (start2 + 22); - - cursor_data__nw_size = cursor_data__nelements; - @@ -5305,6 +5317,9 @@ - uint64_t cursor_data__nw_size; - uint64_t cursor_data__nelements; - { /* data */ - + if (SPICE_UNLIKELY((start2 + 22) > message_end)) { - + goto error; - + } - cursor_data__nelements = message_end - (start2 + 22); - - cursor_data__nw_size = cursor_data__nelements; - @@ -5540,6 +5555,9 @@ - SpiceMsgPlaybackPacket *out; - - { /* data */ - + if (SPICE_UNLIKELY((start + 4) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 4); - - data__nw_size = data__nelements; - @@ -5594,6 +5612,9 @@ - SpiceMsgPlaybackMode *out; - - { /* data */ - + if (SPICE_UNLIKELY((start + 8) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 8); - - data__nw_size = data__nelements; - diff -u save/generated_client_demarshallers.c common/generated_client_demarshallers.c - - - save/generated_client_demarshallers.c 2018-06-22 22:13:48.626793919 +0100 - + + common/generated_client_demarshallers.c 2018-06-22 22:14:03.004153195 +0100 - @@ -225,6 +225,9 @@ - uint64_t data__nelements; - - { /* data */ - + if (SPICE_UNLIKELY((start + 0) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 0); - - data__nw_size = data__nelements; - @@ -243,6 +246,9 @@ - *free_message = nofree; - return data; - - + error: - + free(data); - + return NULL; - } - - static uint8_t * parse_msg_set_ack(uint8_t *message_start, uint8_t *message_end, SPICE_GNUC_UNUSED int minor, size_t *size, message_destructor_t *free_message) - @@ -301,6 +307,9 @@ - SpiceMsgPing *out; - - { /* data */ - + if (SPICE_UNLIKELY((start + 12) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 12); - - data__nw_size = data__nelements; - @@ -6574,6 +6583,9 @@ - } - - { /* data */ - + if (SPICE_UNLIKELY((start2 + 2 + cursor_u__nw_size) > message_end)) { - + goto error; - + } - cursor_data__nelements = message_end - (start2 + 2 + cursor_u__nw_size); - - cursor_data__nw_size = cursor_data__nelements; - @@ -6670,6 +6682,9 @@ - } - - { /* data */ - + if (SPICE_UNLIKELY((start2 + 2 + cursor_u__nw_size) > message_end)) { - + goto error; - + } - cursor_data__nelements = message_end - (start2 + 2 + cursor_u__nw_size); - - cursor_data__nw_size = cursor_data__nelements; - @@ -6907,6 +6922,9 @@ - SpiceMsgPlaybackPacket *out; - - { /* data */ - + if (SPICE_UNLIKELY((start + 4) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 4); - - data__nw_size = data__nelements; - @@ -6961,6 +6979,9 @@ - SpiceMsgPlaybackMode *out; - - { /* data */ - + if (SPICE_UNLIKELY((start + 6) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 6); - - data__nw_size = data__nelements; - @@ -7559,6 +7580,9 @@ - SpiceMsgTunnelSocketData *out; - - { /* data */ - + if (SPICE_UNLIKELY((start + 2) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 2); - - data__nw_size = data__nelements; - @@ -7840,6 +7864,9 @@ - } - - { /* compressed_data */ - + if (SPICE_UNLIKELY((start + 1 + u__nw_size) > message_end)) { - + goto error; - + } - compressed_data__nelements = message_end - (start + 1 + u__nw_size); - - compressed_data__nw_size = compressed_data__nelements; - diff -u save/generated_server_demarshallers.c common/generated_server_demarshallers.c - - - save/generated_server_demarshallers.c 2018-06-22 22:13:48.627793944 +0100 - + + common/generated_server_demarshallers.c 2018-06-22 22:14:05.231208847 +0100 - @@ -306,6 +306,9 @@ - uint64_t data__nelements; - - { /* data */ - + if (SPICE_UNLIKELY((start + 0) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 0); - - data__nw_size = data__nelements; - @@ -324,6 +327,9 @@ - *free_message = nofree; - return data; - - + error: - + free(data); - + return NULL; - } - - static uint8_t * parse_msgc_disconnecting(uint8_t *message_start, uint8_t *message_end, SPICE_GNUC_UNUSED int minor, size_t *size, message_destructor_t *free_message) - @@ -1259,6 +1265,9 @@ - SpiceMsgcRecordPacket *out; - - { /* data */ - + if (SPICE_UNLIKELY((start + 4) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 4); - - data__nw_size = data__nelements; - @@ -1313,6 +1322,9 @@ - SpiceMsgcRecordMode *out; - - { /* data */ - + if (SPICE_UNLIKELY((start + 6) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 6); - - data__nw_size = data__nelements; - @@ -1841,6 +1853,9 @@ - SpiceMsgcTunnelSocketData *out; - - { /* data */ - + if (SPICE_UNLIKELY((start + 2) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 2); - - data__nw_size = data__nelements; - @@ -2057,6 +2072,9 @@ - } - - { /* compressed_data */ - + if (SPICE_UNLIKELY((start + 1 + u__nw_size) > message_end)) { - + goto error; - + } - compressed_data__nelements = message_end - (start + 1 + u__nw_size); - - compressed_data__nw_size = compressed_data__nelements; - -Signed-off-by: Frediano Ziglio ---- - spice-common/python_modules/demarshal.py | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/spice-common/python_modules/demarshal.py b/spice-common/python_modules/demarshal.py -index 1ea131d..7172762 100644 ---- a/spice-common/python_modules/demarshal.py -+++ b/spice-common/python_modules/demarshal.py -@@ -318,6 +318,7 @@ def write_validate_array_item(writer, container, item, scope, parent_scope, star - writer.assign(nelements, array.size) - elif array.is_remaining_length(): - if element_type.is_fixed_nw_size(): -+ writer.error_check("%s > message_end" % item.get_position()) - if element_type.get_fixed_nw_size() == 1: - writer.assign(nelements, "message_end - %s" % item.get_position()) - else: diff --git a/SOURCES/1000-gtk-Makefile.am-add-PIE-flags-to-libspice-client-gli.patch b/SOURCES/1000-gtk-Makefile.am-add-PIE-flags-to-libspice-client-gli.patch deleted file mode 100644 index 1686db8..0000000 --- a/SOURCES/1000-gtk-Makefile.am-add-PIE-flags-to-libspice-client-gli.patch +++ /dev/null @@ -1,122 +0,0 @@ -From 9788af437a99cb2600aeae6e313a43efb2ceb466 Mon Sep 17 00:00:00 2001 -From: Alon Levy -Date: Wed, 6 May 2015 09:04:02 -0400 -Subject: [PATCH] gtk/Makefile.am: add PIE flags to libspice-client-glib - -Also to gtk and controller lib - -Signed-off-by: Pavel Grunt ---- - src/Makefile.am | 7 +++++++ - src/Makefile.in | 7 +++++++ - src/controller/Makefile.am | 2 ++ - src/controller/Makefile.in | 2 ++ - 4 files changed, 18 insertions(+) - -diff --git a/src/Makefile.am b/src/Makefile.am -index 78953dd..688a7e8 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -115,6 +115,7 @@ SPICE_GTK_LDFLAGS_COMMON = \ - -version-info 5:0:0 \ - -no-undefined \ - $(GTK_SYMBOLS_LDFLAGS) \ -+ $(PIE_LDFLAGS) \ - $(NULL) - - SPICE_GTK_LIBADD_COMMON = \ -@@ -161,6 +162,7 @@ endif - if WITH_GTK - EXTRA_libspice_client_gtk_3_0_la_DEPENDENCIES = $(GTK_SYMBOLS_FILE) - libspice_client_gtk_3_0_la_LDFLAGS = $(SPICE_GTK_LDFLAGS_COMMON) -+libspice_client_gtk_3_0_la_CPPFLAGS = $(PIE_CFLAGS) - libspice_client_gtk_3_0_la_LIBADD = $(SPICE_GTK_LIBADD_COMMON) - libspice_client_gtk_3_0_la_SOURCES = $(SPICE_GTK_SOURCES_COMMON) - nodist_libspice_client_gtk_3_0_la_SOURCES = $(nodist_SPICE_GTK_SOURCES_COMMON) -@@ -185,6 +187,11 @@ libspice_client_glib_2_0_la_LDFLAGS = \ - -version-info 14:0:6 \ - -no-undefined \ - $(GLIB_SYMBOLS_LDFLAGS) \ -+ $(PIE_LDFLAGS) \ -+ $(NULL) -+ -+libspice_client_glib_2_0_la_CPPFLAGS = \ -+ $(PIE_CFLAGS) \ - $(NULL) - - libspice_client_glib_2_0_la_LIBADD = \ -diff --git a/src/Makefile.in b/src/Makefile.in -index 2ea0804..a5e3a37 100644 ---- a/src/Makefile.in -+++ b/src/Makefile.in -@@ -790,6 +790,7 @@ SPICE_GTK_LDFLAGS_COMMON = \ - -version-info 5:0:0 \ - -no-undefined \ - $(GTK_SYMBOLS_LDFLAGS) \ -+ $(PIE_LDFLAGS) \ - $(NULL) - - SPICE_GTK_LIBADD_COMMON = \ -@@ -815,6 +816,7 @@ nodist_SPICE_GTK_SOURCES_COMMON = \ - - @WITH_GTK_TRUE@EXTRA_libspice_client_gtk_3_0_la_DEPENDENCIES = $(GTK_SYMBOLS_FILE) - @WITH_GTK_TRUE@libspice_client_gtk_3_0_la_LDFLAGS = $(SPICE_GTK_LDFLAGS_COMMON) -+@WITH_GTK_TRUE@libspice_client_gtk_3_0_la_CPPFLAGS = $(PIE_CFLAGS) - @WITH_GTK_TRUE@libspice_client_gtk_3_0_la_LIBADD = $(SPICE_GTK_LIBADD_COMMON) - @WITH_GTK_TRUE@libspice_client_gtk_3_0_la_SOURCES = $(SPICE_GTK_SOURCES_COMMON) - @WITH_GTK_TRUE@nodist_libspice_client_gtk_3_0_la_SOURCES = $(nodist_SPICE_GTK_SOURCES_COMMON) -@@ -836,6 +838,11 @@ libspice_client_glib_2_0_la_LDFLAGS = \ - -version-info 14:0:6 \ - -no-undefined \ - $(GLIB_SYMBOLS_LDFLAGS) \ -+ $(PIE_LDFLAGS) \ -+ $(NULL) -+ -+libspice_client_glib_2_0_la_CPPFLAGS = \ -+ $(PIE_CFLAGS) \ - $(NULL) - - libspice_client_glib_2_0_la_LIBADD = \ -diff --git a/src/controller/Makefile.am b/src/controller/Makefile.am -index fb56986..71dd2bd 100644 ---- a/src/controller/Makefile.am -+++ b/src/controller/Makefile.am -@@ -4,6 +4,7 @@ AM_CPPFLAGS = \ - -DG_LOG_DOMAIN=\"GSpiceController\" \ - $(GIO_CFLAGS) \ - $(COMMON_CFLAGS) \ -+ $(PIE_CFLAGS) \ - -Wno-deprecated-declarations \ - $(NULL) - -@@ -11,6 +12,7 @@ AM_CPPFLAGS = \ - AM_LDFLAGS = \ - -no-undefined \ - $(GIO_LIBS) \ -+ $(PIE_LDFLAGS) \ - $(NULL) - - AM_VALAFLAGS = \ -diff --git a/src/controller/Makefile.in b/src/controller/Makefile.in -index 03e67a4..32c1d44 100644 ---- a/src/controller/Makefile.in -+++ b/src/controller/Makefile.in -@@ -495,6 +495,7 @@ AM_CPPFLAGS = \ - -DG_LOG_DOMAIN=\"GSpiceController\" \ - $(GIO_CFLAGS) \ - $(COMMON_CFLAGS) \ -+ $(PIE_CFLAGS) \ - -Wno-deprecated-declarations \ - $(NULL) - -@@ -503,6 +504,7 @@ AM_CPPFLAGS = \ - AM_LDFLAGS = \ - -no-undefined \ - $(GIO_LIBS) \ -+ $(PIE_LDFLAGS) \ - $(NULL) - - AM_VALAFLAGS = \ --- -2.13.0 - diff --git a/SPECS/spice-gtk.spec b/SPECS/spice-gtk.spec index 1e97d18..5018a13 100644 --- a/SPECS/spice-gtk.spec +++ b/SPECS/spice-gtk.spec @@ -3,21 +3,16 @@ #define _version_suffix Name: spice-gtk -Version: 0.34 -Release: 3%{?dist}.2 +Version: 0.35 +Release: 2%{?dist} Summary: A GTK+ widget for SPICE clients Group: System Environment/Libraries License: LGPLv2+ URL: https://www.spice-space.org/ -#VCS: git:git://anongit.freedesktop.org/spice/spice-gtk Source0: https://www.spice-space.org/download/gtk/%{name}-%{version}%{?_version_suffix}.tar.bz2 -Patch0001: 0001-canvas-base-Fix-width-computation-for-palette-images.patch -Patch0002: 0002-Revert-channel-usbredir-Fix-crash-on-channel-up.patch -Patch0003: 0003-channel-usbredir-Fix-crash-on-channel-up.patch -Patch0004: 0004-Fix-flexible-array-buffer-overflow.patch -Patch1000: 1000-gtk-Makefile.am-add-PIE-flags-to-libspice-client-gli.patch +Patch0001: 0001-Fix-flexible-array-buffer-overflow.patch BuildRequires: intltool BuildRequires: usbredir-devel >= 0.6-8 @@ -120,15 +115,10 @@ spicy-screenshot is a tool to capture screen-shots of a SPICE desktop. %setup -q -n spice-gtk-%{version}%{?_version_suffix} %patch0001 -p1 -%patch0002 -p1 -%patch0003 -p1 -%patch0004 -p1 -%patch1000 -p1 -find . -name '*.stamp' | xargs touch - %build %configure \ + --enable-celt051 \ --with-gtk=3.0 \ --enable-vala \ --with-usb-acl-helper-dir=%{_libexecdir}/spice-gtk-%{_arch}/ \ @@ -158,7 +148,6 @@ rm -f %{buildroot}%{_libdir}/*.la %files -n spice-glib -f %{name}.lang %{_libdir}/libspice-client-glib-2.0.so.* -%{_libdir}/libspice-controller.so.* %{_libdir}/girepository-1.0/SpiceClientGLib-2.0.typelib %dir %{_libexecdir}/spice-gtk-%{_arch}/ %attr(4755, root, root) %{_libexecdir}/spice-gtk-%{_arch}/spice-client-glib-usb-acl-helper @@ -166,13 +155,9 @@ rm -f %{buildroot}%{_libdir}/*.la %files -n spice-glib-devel %{_libdir}/libspice-client-glib-2.0.so -%{_libdir}/libspice-controller.so %{_includedir}/spice-client-glib-2.0 -%{_includedir}/spice-controller %{_libdir}/pkgconfig/spice-client-glib-2.0.pc -%{_libdir}/pkgconfig/spice-controller.pc %{_datadir}/gir-1.0/SpiceClientGLib-2.0.gir -%{_datadir}/vala/vapi/spice-protocol.vapi %doc %{_datadir}/gtk-doc/html/* %files -n spice-gtk3 @@ -202,13 +187,13 @@ rm -f %{buildroot}%{_libdir}/*.la %{_bindir}/spicy-stats %changelog -* Thu Aug 09 2018 Frediano Ziglio - 0.34-3.2 +* Fri Aug 10 2018 Frediano Ziglio - 0.35-2 - Fix flexible array buffer overflow Resolves: rhbz#1596008 -* Wed Jun 13 2018 Victor Toso - 0.34-3.1 -- Fix migration failure when USB is enabled - Resolves: rhbz#1590412 +* Mon Jun 11 2018 Victor Toso - 0.35-1 +- Rebase to 0.35 + Resolves: rhbz#1562126 * Thu Dec 21 2017 Frediano Ziglio - 0.34-3 - Fix stride misalignment