From 91362d045a42b56cb8bc2b91034b91165482723f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Tue, 13 Apr 2021 21:27:00 +0400
Subject: [PATCH] Fix invalid vdagent buffer access
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The caller use the "size" argument in different ways. Either the size of
the data to convert, or the end boundary to be deduced by offset.

Fix it so the the "size" argument means the amount in bytes of data to
convert, that seems simpler and saner. (yay C)

Fixes: spice#53

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
---
 common/agent.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/common/agent.c b/common/agent.c
index e29fdcd..3894c7f 100644
--- a/common/agent.c
+++ b/common/agent.c
@@ -132,8 +132,8 @@ static void uint16_from_le(uint8_t *_msg, uint32_t size, uint32_t offset)
     uint32_t i;
     uint16_unaligned_t *msg = (uint16_unaligned_t *)(_msg + offset);
 
-    /* offset - size % 2 should be 0 - extra bytes are ignored */
-    for (i = 0; i < (size - offset) / 2; i++) {
+    /* size % 2 should be 0 - extra bytes are ignored */
+    for (i = 0; i < size / 2; i++) {
         FIX_ENDIAN16(msg[i].v);
     }
 }
@@ -143,8 +143,8 @@ static void uint32_from_le(uint8_t *_msg, uint32_t size, uint32_t offset)
     uint32_t i;
     uint32_unaligned_t *msg = (uint32_unaligned_t *)(_msg + offset);
 
-    /* offset - size % 4 should be 0 - extra bytes are ignored */
-    for (i = 0; i < (size - offset) / 4; i++) {
+    /* size % 4 should be 0 - extra bytes are ignored */
+    for (i = 0; i < size / 4; i++) {
         FIX_ENDIAN32(msg[i].v);
     }
 }
@@ -168,7 +168,7 @@ agent_message_clipboard_from_le(const VDAgentMessage *message_header, uint8_t *d
         FIX_ENDIAN32(data_type->v);
         break;
     case VD_AGENT_CLIPBOARD_GRAB:
-        uint32_from_le(data, message_header->size, min_size);
+        uint32_from_le(data, message_header->size - min_size, min_size);
         break;
     case VD_AGENT_CLIPBOARD_RELEASE:
         // empty
@@ -318,7 +318,7 @@ agent_check_message(const VDAgentMessage *message_header, uint8_t *message,
         if (vdata->nchannels > max_channels) {
             return AGENT_CHECK_TRUNCATED;
         }
-        uint16_from_le(message, message_header->size, sizeof(*vdata));
+        uint16_from_le(message, message_header->size - sizeof(*vdata), sizeof(*vdata));
         break;
     }
     default: