Description of problem:
Is possible to craft spice messages that using integer overflows cause buffer overflows.
Messages in spice protocols contains pointers (offset from message start) and lengths. Is possible to cause an overflow making code (actually it seems only client due to protocol details) allocate small buffers but use large memory.
I'll attach a demonstration program and 2 patches to solve the issue.
Version-Release number of selected component (if applicable):
I wrote a small test program (attached) to test the issue.
Steps to Reproduce:
1. just compile and run the program attached to demonstrate the issue
Crash on client due to buffer overflow.
Detect as invalid messages, optional give feedback, close correctly the program
Created attachment 1048670 [details]
demonstration of the issue
Created attachment 1048671 [details]
Fix integer overflows for buffer size computations
Created attachment 1048672 [details]
Fix integer overflows for images size computations
Created attachment 1333612 [details]
Created attachment 1333613 [details]
Fix integer overflows computing sizes
Created attachment 1333614 [details]
Avoid integer overflow computing image sizes
Patches merged in master, commits a69fb1ec3425baf0a6dadced29669f4b708da923 and 617be0f74b88ce53d84d417c00696b8c1630b6ec.