import spice-0.14.3-3.el8

.gitignore

@@ -1,2 +1,2 @@
-SOURCES/spice-0.14.2.tar.bz2
+SOURCES/spice-0.14.3.tar.bz2
 SOURCES/victortoso-E37A484F.keyring

.spice.metadata

@@ -1,2 +1,2 @@
-83a93e47546d496cf2dcc3f4641db3a285044b9e SOURCES/spice-0.14.2.tar.bz2
+f5968dd5df5f64805d093b4c85b4165959e6c65b SOURCES/spice-0.14.3.tar.bz2
 da7a529db1ea28a1540c5892ea9836abeb378c3e SOURCES/victortoso-E37A484F.keyring

SOURCES/0001-quic-Check-we-have-some-data-to-start-decoding-quic-.patch

@@ -0,0 +1,34 @@
+From d9cc2d4659950df230dfe30e5445b91d4c15604e Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <freddy77@gmail.com>
+Date: Wed, 29 Apr 2020 15:09:13 +0100
+Subject: [PATCH spice-common 1/4] quic: Check we have some data to start
+ decoding quic image
+
+All paths already pass some data to quic_decode_begin but for the
+test check it, it's not that expensive test.
+Checking for not 0 is enough, all other words will potentially be
+read calling more_io_words but we need one to avoid a potential
+initial buffer overflow or deferencing an invalid pointer.
+
+Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
+Acked-by: Uri Lublin <uril@redhat.com>
+---
+ common/quic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/subprojects/spice-common/common/quic.c b/subprojects/spice-common/common/quic.c
+index 55a5d6c..e03f3af 100644
+--- a/subprojects/spice-common/common/quic.c
++++ b/subprojects/spice-common/common/quic.c
+@@ -1136,7 +1136,7 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w
+     int channels;
+     int bpc;
+ 
+-    if (!encoder_reset(encoder, io_ptr, io_ptr_end)) {
++    if (!num_io_words || !encoder_reset(encoder, io_ptr, io_ptr_end)) {
+         return QUIC_ERROR;
+     }
+ 
+-- 
+2.25.4
+

SOURCES/0002-quic-Check-image-size-in-quic_decode_begin.patch

@@ -0,0 +1,48 @@
+From 19cd6fe85610b424349db2d97e2dd0e2761a4a05 Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <freddy77@gmail.com>
+Date: Wed, 29 Apr 2020 15:10:24 +0100
+Subject: [PATCH spice-common 2/4] quic: Check image size in quic_decode_begin
+
+Avoid some overflow in code due to images too big or
+negative numbers.
+
+Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
+Acked-by: Uri Lublin <uril@redhat.com>
+---
+ common/quic.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/subprojects/spice-common/common/quic.c b/subprojects/spice-common/common/quic.c
+index e03f3af..890f128 100644
+--- a/subprojects/spice-common/common/quic.c
++++ b/subprojects/spice-common/common/quic.c
+@@ -56,6 +56,9 @@ typedef uint8_t BYTE;
+ #define MINwminext 1
+ #define MAXwminext 100000000
+ 
++/* Maximum image size in pixels, mainly to avoid possible integer overflows */
++#define SPICE_MAX_IMAGE_SIZE (512 * 1024 * 1024 - 1)
++
+ typedef struct QuicFamily {
+     unsigned int nGRcodewords[MAXNUMCODES];      /* indexed by code number, contains number of
+                                                     unmodified GR codewords in the code */
+@@ -1165,6 +1168,16 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w
+     height = encoder->io_word;
+     decode_eat32bits(encoder);
+ 
++    if (width <= 0 || height <= 0) {
++        encoder->usr->warn(encoder->usr, "invalid size\n");
++        return QUIC_ERROR;
++    }
++
++    /* avoid too big images */
++    if ((uint64_t) width * height > SPICE_MAX_IMAGE_SIZE) {
++        encoder->usr->error(encoder->usr, "image too large\n");
++    }
++
+     quic_image_params(encoder, type, &channels, &bpc);
+ 
+     if (!encoder_reset_channels(encoder, channels, width, bpc)) {
+-- 
+2.25.4
+

SOURCES/0003-quic-Check-RLE-lengths.patch

@@ -0,0 +1,35 @@
+From d45a4954d73b41a255b8b4ec57c01ae87ec2936e Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <freddy77@gmail.com>
+Date: Wed, 29 Apr 2020 15:11:38 +0100
+Subject: [PATCH spice-common 3/4] quic: Check RLE lengths
+
+Avoid buffer overflows decoding images. On compression we compute
+lengths till end of line so it won't cause regressions.
+Proved by fuzzing the code.
+
+Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
+Acked-by: Uri Lublin <uril@redhat.com>
+---
+ common/quic_tmpl.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/subprojects/spice-common/common/quic_tmpl.c b/subprojects/spice-common/common/quic_tmpl.c
+index f0a4927..11e09f5 100644
+--- a/subprojects/spice-common/common/quic_tmpl.c
++++ b/subprojects/spice-common/common/quic_tmpl.c
+@@ -570,7 +570,11 @@ static void FNAME_DECL(uncompress_row_seg)(const PIXEL * const prev_row,
+ do_run:
+         state->waitcnt = stopidx - i;
+         run_index = i;
+-        run_end = i + decode_state_run(encoder, state);
++        run_end = decode_state_run(encoder, state);
++        if (run_end < 0 || run_end > (end - i)) {
++            encoder->usr->error(encoder->usr, "wrong RLE\n");
++        }
++        run_end += i;
+ 
+         for (; i < run_end; i++) {
+             UNCOMPRESS_PIX_START(&cur_row[i]);
+-- 
+2.25.4
+

SOURCES/0004-quic-Avoid-possible-buffer-overflow-in-find_bucket.patch

@@ -0,0 +1,35 @@
+From 57c6e6b00247ad289a27648213d7ad2306fe3931 Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <freddy77@gmail.com>
+Date: Thu, 30 Apr 2020 10:19:09 +0100
+Subject: [PATCH spice-common 4/4] quic: Avoid possible buffer overflow in
+ find_bucket
+
+Proved by fuzzing the code.
+
+Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
+Acked-by: Uri Lublin <uril@redhat.com>
+---
+ common/quic_family_tmpl.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/subprojects/spice-common/common/quic_family_tmpl.c b/subprojects/spice-common/common/quic_family_tmpl.c
+index 8a5f7d2..6cc051b 100644
+--- a/subprojects/spice-common/common/quic_family_tmpl.c
++++ b/subprojects/spice-common/common/quic_family_tmpl.c
+@@ -103,7 +103,12 @@ static s_bucket *FNAME(find_bucket)(Channel *channel, const unsigned int val)
+         spice_assert(val < (0x1U << BPC));
+     }
+ 
+-    return channel->_buckets_ptrs[val];
++    /* The and (&) here is to avoid buffer overflows in case of garbage or malicious
++     * attempts. Is much faster then using comparisons and save us from such situations.
++     * Note that on normal build the check above won't be compiled as this code path
++     * is pretty hot and would cause speed regressions.
++     */
++    return channel->_buckets_ptrs[val & ((1U << BPC) - 1)];
+ }
+ 
+ #undef FNAME
+-- 
+2.25.4
+

SOURCES/0005-websocket-Fix-possible-integer-overflow.patch

@@ -0,0 +1,32 @@
+From b8f4d7d2c7a3d08a82f4bc7588cdff15cee54292 Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <freddy77@gmail.com>
+Date: Tue, 16 Jun 2020 11:49:19 +0100
+Subject: [PATCH] websocket: Fix possible integer overflow
+
+The shift of a uint_8 number by a number > 32 causes an overflow.
+
+Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
+Acked-by: Uri Lublin <ulublin@redhat.com>
+---
+ server/websocket.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/server/websocket.c b/server/websocket.c
+index f5df63f8..82b20b49 100644
+--- a/server/websocket.c
++++ b/server/websocket.c
+@@ -165,8 +165,9 @@ static uint64_t extract_length(const uint8_t *buf, int *used)
+     case LENGTH_64BIT:
+         *used += 8;
+         outlen = 0;
+-        for (i = 56; i >= 0; i -= 8) {
+-            outlen |= (*buf++) << i;
++        for (i = 0; i < 8; ++i) {
++            outlen <<= 8;
++            outlen |= *buf++;
+         }
+         break;
+ 
+-- 
+2.26.2
+

SOURCES/0006-test-websocket-check-setsockopt-return-value.patch

@@ -0,0 +1,41 @@
+From 954eabaeb76a0f93a32210b6bf63157ad2c0fb22 Mon Sep 17 00:00:00 2001
+From: Uri Lublin <uril@redhat.com>
+Date: Wed, 17 Jun 2020 11:52:05 +0300
+Subject: [PATCH] test-websocket: check setsockopt return value
+
+Acked-by: Frediano Ziglio <fziglio@redhat.com>
+---
+ server/tests/test-websocket.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/server/tests/test-websocket.c b/server/tests/test-websocket.c
+index 2115411e..701f5408 100644
+--- a/server/tests/test-websocket.c
++++ b/server/tests/test-websocket.c
+@@ -146,7 +146,10 @@ main(int argc, char **argv)
+     }
+ 
+     int enable = 1;
+-    setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &enable, sizeof(enable));
++    if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR,
++                   (const void *) &enable, sizeof(enable)) < 0) {
++        err(1, "setsockopt reuseaddr");
++    }
+ 
+     if (non_blocking) {
+         red_socket_set_non_blocking(sock, true);
+@@ -200,7 +203,10 @@ handle_client(int new_sock)
+     }
+ 
+     int enable = 1;
+-    setsockopt(new_sock, SOL_TCP, TCP_NODELAY, (const void *) &enable, sizeof(enable));
++    if (setsockopt(new_sock, SOL_TCP, TCP_NODELAY,
++                   (const void *) &enable, sizeof(enable)) < 0) {
++        err(1, "setsockopt nodelay");
++    }
+ 
+     // wait header
+     wait_for(new_sock, POLLIN);
+-- 
+2.26.2
+

SPECS/spice.spec

@@ -1,6 +1,6 @@
 Name:           spice
-Version:        0.14.2
-Release:        1%{?dist}
+Version:        0.14.3
+Release:        3%{?dist}
 Summary:        Implements the SPICE protocol
 Group:          User Interface/Desktops
 License:        LGPLv2+
@@ -8,6 +8,13 @@ URL:            https://www.spice-space.org/
 Source0:        https://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2
 Source1:        https://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2.sig
 Source2:        victortoso-E37A484F.keyring
+Patch1:         0001-quic-Check-we-have-some-data-to-start-decoding-quic-.patch
+Patch2:         0002-quic-Check-image-size-in-quic_decode_begin.patch
+Patch3:         0003-quic-Check-RLE-lengths.patch
+Patch4:         0004-quic-Avoid-possible-buffer-overflow-in-find_bucket.patch
+
+Patch5:         0005-websocket-Fix-possible-integer-overflow.patch
+Patch6:         0006-test-websocket-check-setsockopt-return-value.patch
 
 # https://bugzilla.redhat.com/show_bug.cgi?id=613529
 %if 0%{?rhel} && 0%{?rhel} <= 7
@@ -42,7 +49,6 @@ variety of machine architectures.
 %package server
 Summary:        Implements the server side of the SPICE protocol
 Group:          System Environment/Libraries
-Obsoletes:      spice-client < %{version}-%{release}
 
 %description server
 The Simple Protocol for Independent Computing Environments (SPICE) is
@@ -96,7 +102,7 @@ mkdir -p %{buildroot}%{_libexecdir}
 %files server
 %{!?_licensedir:%global license %%doc}
 %license COPYING
-%doc README NEWS
+%doc README CHANGELOG.md
 %{_libdir}/libspice-server.so.1*
 
 %files server-devel
@@ -106,6 +112,19 @@ mkdir -p %{buildroot}%{_libexecdir}
 
 
 %changelog
+* Wed Jun 17 2020 Uri Lublin <uril@redhat.com> - 0.14.3-3
+- Fix some static analyzer issues
+- Removed Obsoletes line for spice-client
+  Related: rhbz#1840240
+
+* Mon Jun  1 2020 Frediano Ziglio <fziglio@redhat.com> - 0.14.3-2
+- Fix multiple buffer overflows in QUIC decoding code
+  Resolves: rhbz#1829946
+
+* Thu May 28 2020 Frediano Ziglio <fziglio@redhat.com> - 0.14.3-1
+- Update to 0.14.3
+  Revolves: rhbz#1840240
+
 * Fri May 17 2019 Victor Toso <victortoso@redhat.com> - 0.14.2-1
 - Update to 0.14.2
   Resolves: rhbz#1562123