diff --git a/0006-server-reds-add-usbredir-to-recognized-channel-names.patch b/0006-server-reds-add-usbredir-to-recognized-channel-names.patch new file mode 100644 index 0000000..9c6b2df --- /dev/null +++ b/0006-server-reds-add-usbredir-to-recognized-channel-names.patch @@ -0,0 +1,27 @@ +From ce8e865cf1fcd7ee6ef2e6f8b33506df31e3345e Mon Sep 17 00:00:00 2001 +From: Alon Levy +Date: Mon, 7 May 2012 14:14:37 +0300 +Subject: [PATCH 6/8] server/reds: add "usbredir" to recognized channel names + +RHBZ: 819484 + +Signed-off-by: Alon Levy +--- + server/reds.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/server/reds.c b/server/reds.c +index 1696fbc..26d6f89 100644 +--- a/server/reds.c ++++ b/server/reds.c +@@ -3971,6 +3971,7 @@ SPICE_GNUC_VISIBLE int spice_server_set_channel_security(SpiceServer *s, const c + #ifdef USE_SMARTCARD + [ SPICE_CHANNEL_SMARTCARD] = "smartcard", + #endif ++ [ SPICE_CHANNEL_USBREDIR ] = "usbredir", + }; + int i; + +-- +1.7.10.1 + diff --git a/0007-server-mjpeg_encoder-Fix-memory-leak-for-the-inital-.patch b/0007-server-mjpeg_encoder-Fix-memory-leak-for-the-inital-.patch new file mode 100644 index 0000000..cae906c --- /dev/null +++ b/0007-server-mjpeg_encoder-Fix-memory-leak-for-the-inital-.patch @@ -0,0 +1,68 @@ +From 1ba5d956168b0d0b9a9f16a843bd1b13cf897e78 Mon Sep 17 00:00:00 2001 +From: Yonit Halperin +Date: Thu, 10 May 2012 12:26:01 +0300 +Subject: [PATCH 7/8] server/mjpeg_encoder: Fix memory leak for the inital + output buffer given for each frame + +--- + server/mjpeg_encoder.c | 11 +++-------- + server/mjpeg_encoder.h | 5 +++++ + 2 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/server/mjpeg_encoder.c b/server/mjpeg_encoder.c +index 6b68549..74062f5 100644 +--- a/server/mjpeg_encoder.c ++++ b/server/mjpeg_encoder.c +@@ -105,7 +105,6 @@ typedef struct { + + unsigned char ** outbuffer; /* target buffer */ + size_t * outsize; +- unsigned char * newbuffer; /* newly allocated buffer */ + uint8_t * buffer; /* start of buffer */ + size_t bufsize; + } mem_destination_mgr; +@@ -129,9 +128,7 @@ static boolean empty_mem_output_buffer(j_compress_ptr cinfo) + + memcpy(nextbuffer, dest->buffer, dest->bufsize); + +- free(dest->newbuffer); +- +- dest->newbuffer = nextbuffer; ++ free(dest->buffer); + + dest->pub.next_output_byte = nextbuffer + dest->bufsize; + dest->pub.free_in_buffer = dest->bufsize; +@@ -184,12 +181,10 @@ spice_jpeg_mem_dest(j_compress_ptr cinfo, + dest->pub.term_destination = term_mem_destination; + dest->outbuffer = outbuffer; + dest->outsize = outsize; +- dest->newbuffer = NULL; +- + if (*outbuffer == NULL || *outsize == 0) { + /* Allocate initial buffer */ +- dest->newbuffer = *outbuffer = malloc(OUTPUT_BUF_SIZE); +- if (dest->newbuffer == NULL) ++ *outbuffer = malloc(OUTPUT_BUF_SIZE); ++ if (*outbuffer == NULL) + ERREXIT1(cinfo, JERR_OUT_OF_MEMORY, 10); + *outsize = OUTPUT_BUF_SIZE; + } +diff --git a/server/mjpeg_encoder.h b/server/mjpeg_encoder.h +index c43827f..62ef207 100644 +--- a/server/mjpeg_encoder.h ++++ b/server/mjpeg_encoder.h +@@ -27,6 +27,11 @@ MJpegEncoder *mjpeg_encoder_new(int width, int height); + void mjpeg_encoder_destroy(MJpegEncoder *encoder); + + uint8_t mjpeg_encoder_get_bytes_per_pixel(MJpegEncoder *encoder); ++ ++/* ++ * *dest must be either NULL or allocated by malloc, since it might be freed ++ * during the encoding, if its size is too small. ++ */ + int mjpeg_encoder_start_frame(MJpegEncoder *encoder, SpiceBitmapFmt format, + uint8_t **dest, size_t *dest_len); + int mjpeg_encoder_encode_scanline(MJpegEncoder *encoder, uint8_t *src_pixels, +-- +1.7.10.1 + diff --git a/0008-server-mjpeg_encoder-fix-wrong-size-assigned-to-dest.patch b/0008-server-mjpeg_encoder-fix-wrong-size-assigned-to-dest.patch new file mode 100644 index 0000000..6a9d987 --- /dev/null +++ b/0008-server-mjpeg_encoder-fix-wrong-size-assigned-to-dest.patch @@ -0,0 +1,28 @@ +From 29f70d96d44fc4eaf3ffb027ce22cd4f8509b2bf Mon Sep 17 00:00:00 2001 +From: Yonit Halperin +Date: Thu, 10 May 2012 14:01:39 +0300 +Subject: [PATCH 8/8] server/mjpeg_encoder: fix wrong size assigned to + dest_len + +It should have been the allocated size and not the occupied one. +This led to a lot of unnecessary allocations and deallocations. +--- + server/mjpeg_encoder.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/server/mjpeg_encoder.c b/server/mjpeg_encoder.c +index 74062f5..42fe352 100644 +--- a/server/mjpeg_encoder.c ++++ b/server/mjpeg_encoder.c +@@ -144,7 +144,7 @@ static void term_mem_destination(j_compress_ptr cinfo) + mem_destination_mgr *dest = (mem_destination_mgr *) cinfo->dest; + + *dest->outbuffer = dest->buffer; +- *dest->outsize = dest->bufsize - dest->pub.free_in_buffer; ++ *dest->outsize = dest->bufsize; + } + + /* +-- +1.7.10.1 + diff --git a/spice.spec b/spice.spec index 075852b..d400e5a 100644 --- a/spice.spec +++ b/spice.spec @@ -1,6 +1,6 @@ Name: spice Version: 0.10.1 -Release: 4%{?dist} +Release: 5%{?dist} Summary: Implements the SPICE protocol Group: User Interface/Desktops License: LGPLv2+ @@ -12,6 +12,9 @@ Patch1: 0002-server-red_memslots-use-QXLPHYSICAL-for-addresses.patch Patch2: 0003-server-red_worker-fix-for-case-where-ASSERT-is-compi.patch Patch3: 0004-server-red_memslots-don-t-assume-64-bit-environment.patch Patch4: 0005-server-red_worker-don-t-release-self_bitmap-unless-r.patch +Patch5: 0006-server-reds-add-usbredir-to-recognized-channel-names.patch +Patch6: 0007-server-mjpeg_encoder-Fix-memory-leak-for-the-inital-.patch +Patch7: 0008-server-mjpeg_encoder-fix-wrong-size-assigned-to-dest.patch # https://bugzilla.redhat.com/show_bug.cgi?id=613529 ExclusiveArch: i686 x86_64 @@ -77,6 +80,9 @@ using spice-server, you will need to install spice-server-devel. %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 %build %configure --enable-gui --enable-smartcard @@ -120,7 +126,11 @@ fi %{_libdir}/pkgconfig/spice-server.pc %changelog -* Tue May 13 2012 Alon Levy +* Mon May 14 2012 Alon Levy +- Fix mjpeg memory leak and bad behavior. +- Add usbredir to list of channels for security purposes. (#819484) + +* Sun May 13 2012 Alon Levy - Add double free fix. (#808936) %changelog