Description of problem: When dynamic menu of SPICE ActiveX plugin is big enough (> 4096), the plugin crashes. The crash is probably caused by limited size of dynamic menu in the client: SpiceXCommon.h:#define RED_CLIENT_MAX_MENU_SIZE 4096 After adjusting dynamicMenu string so that is smaller than 4k the console connects fine. NOTE: The bug was repeatedly reproduced on Win8 with IE 10 by various users. I couldn't reproduce the bug on Win7 & IE9. Version-Release number of selected component (if applicable): Spice 5.0.3.5002 rhevm-3.5 vt9 IE 10 on Win8 32-bit Steps to Reproduce: 1. Try to connect to a SPICE VM using browser plugin on Win8 32-bit & IE10. Actual results: IE crashes. Expected results: IE doesn't crash. Additional info: IE doesn't crash if some part (some ISOs) of dynamic menu is dynamically deleted using IE Developer tools.
I can reproduce the problem, using the html test page + setting the menu size to 16 bytes. So 4096 bytes is not enough for the menu. How much is enough ? How did the menu string get so long ? One way of fixing this bug is to reject (return an invalid-param error) such long menu strings. That's probably not going to help rhev-m. Another option is to use a dynamically allocated strings, std::wstring. This solution trusts RHEV-M to not send much longer strings (MB/GB).
I could reproduce using file that has around 5.3k. This size is not unrealistic since dynamic menu contains CDs from ISO domain (which can grow to really big sizes). I think 1 MB is enough for everyone :) (as Michal pointed out, dynamic allocation with no limits/checking could DOS clients).
Patches posted http://post-office.corp.redhat.com/archives/spice-list/2015-February/msg00038.html
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-0377.html