spice-gtk/0005-util-fix-off-by-one-array-access.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Thu, 7 Jul 2016 18:23:24 +0200
Subject: [PATCH] util: fix off-by-one array access
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Thanks to ASAN, I found this off-by-one memory access in the unix2dos
code:

/util/unix2dos: =================================================================
==23589==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000dd2f at pc 0x00000040428e bp 0x7ffd6fc31b90 sp 0x7ffd6fc31b80
READ of size 1 at 0x60200000dd2f thread T0
    #0 0x40428d in spice_convert_newlines /home/elmarco/src/spice/spice-gtk/src/spice-util.c:355
    #1 0x40443a in spice_unix2dos /home/elmarco/src/spice/spice-gtk/src/spice-util.c:382
    #2 0x401eae in test_unix2dos /home/elmarco/src/spice/spice-gtk/tests/util.c:69
    #3 0x7fb8bcd81983  (/lib64/libglib-2.0.so.0+0x6e983)
    #4 0x7fb8bcd81b4e  (/lib64/libglib-2.0.so.0+0x6eb4e)
    #5 0x7fb8bcd81d5d in g_test_run_suite (/lib64/libglib-2.0.so.0+0x6ed5d)
    #6 0x7fb8bcd81d80 in g_test_run (/lib64/libglib-2.0.so.0+0x6ed80)
    #7 0x402cce in main /home/elmarco/src/spice/spice-gtk/tests/util.c:207
    #8 0x7fb8bc755730 in __libc_start_main (/lib64/libc.so.6+0x20730)
    #9 0x401818 in _start (/home/elmarco/src/spice/spice-gtk/tests/util+0x401818)

0x60200000dd2f is located 1 bytes to the left of 4-byte region [0x60200000dd30,0x60200000dd34)
allocated by thread T0 here:
    #0 0x7fb8c10421d0 in realloc (/lib64/libasan.so.3+0xc71d0)
    #1 0x7fb8bcd61f1f in g_realloc (/lib64/libglib-2.0.so.0+0x4ef1f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/elmarco/src/spice/spice-gtk/src/spice-util.c:355 in spice_convert_newlines

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
---
 src/spice-util.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/spice-util.c b/src/spice-util.c
index 7788921..bca3abc 100644
--- a/src/spice-util.c
+++ b/src/spice-util.c
@@ -352,7 +352,7 @@ static gchar* spice_convert_newlines(const gchar *str, gssize len,
         if (nl) {
             /* let's not double \r if it's already in the line */
             if (to == NEWLINE_TYPE_CR_LF &&
-                output->str[output->len - 1] != '\r')
+                (output->len == 0 || output->str[output->len - 1] != '\r'))
                 g_string_append_c(output, '\r');
 
             g_string_append_c(output, '\n');
Add upstream patches fixing USB event thread leak Resolves: rhbz#1217202 (virt-manager) May help with rhbz#1338042 (gnome-boxes) 2016-07-11 09:19:25 +00:00			`From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001`
			`From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>`
			`Date: Thu, 7 Jul 2016 18:23:24 +0200`
			`Subject: [PATCH] util: fix off-by-one array access`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`Thanks to ASAN, I found this off-by-one memory access in the unix2dos`
			`code:`

			`/util/unix2dos: =================================================================`
			`==23589==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000dd2f at pc 0x00000040428e bp 0x7ffd6fc31b90 sp 0x7ffd6fc31b80`
			`READ of size 1 at 0x60200000dd2f thread T0`
			`#0 0x40428d in spice_convert_newlines /home/elmarco/src/spice/spice-gtk/src/spice-util.c:355`
			`#1 0x40443a in spice_unix2dos /home/elmarco/src/spice/spice-gtk/src/spice-util.c:382`
			`#2 0x401eae in test_unix2dos /home/elmarco/src/spice/spice-gtk/tests/util.c:69`
			`#3 0x7fb8bcd81983 (/lib64/libglib-2.0.so.0+0x6e983)`
			`#4 0x7fb8bcd81b4e (/lib64/libglib-2.0.so.0+0x6eb4e)`
			`#5 0x7fb8bcd81d5d in g_test_run_suite (/lib64/libglib-2.0.so.0+0x6ed5d)`
			`#6 0x7fb8bcd81d80 in g_test_run (/lib64/libglib-2.0.so.0+0x6ed80)`
			`#7 0x402cce in main /home/elmarco/src/spice/spice-gtk/tests/util.c:207`
			`#8 0x7fb8bc755730 in __libc_start_main (/lib64/libc.so.6+0x20730)`
			`#9 0x401818 in _start (/home/elmarco/src/spice/spice-gtk/tests/util+0x401818)`

			`0x60200000dd2f is located 1 bytes to the left of 4-byte region [0x60200000dd30,0x60200000dd34)`
			`allocated by thread T0 here:`
			`#0 0x7fb8c10421d0 in realloc (/lib64/libasan.so.3+0xc71d0)`
			`#1 0x7fb8bcd61f1f in g_realloc (/lib64/libglib-2.0.so.0+0x4ef1f)`

			`SUMMARY: AddressSanitizer: heap-buffer-overflow /home/elmarco/src/spice/spice-gtk/src/spice-util.c:355 in spice_convert_newlines`

			`Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>`
			`---`
			`src/spice-util.c \| 2 +-`
			`1 file changed, 1 insertion(+), 1 deletion(-)`

			`diff --git a/src/spice-util.c b/src/spice-util.c`
			`index 7788921..bca3abc 100644`
			`--- a/src/spice-util.c`
			`+++ b/src/spice-util.c`
			`@@ -352,7 +352,7 @@ static gchar* spice_convert_newlines(const gchar *str, gssize len,`
			`if (nl) {`
			`/* let's not double \r if it's already in the line */`
			`if (to == NEWLINE_TYPE_CR_LF &&`
			`- output->str[output->len - 1] != '\r')`
			`+ (output->len == 0 \|\| output->str[output->len - 1] != '\r'))`
			`g_string_append_c(output, '\r');`

			`g_string_append_c(output, '\n');`