channel-main: Fix possible crash on Windows (!11) · Merge requests · spice / spice-gtk

Frediano Ziglio requested to merge fziglio/spice-gtk:fix_crash into master Dec 02, 2019

agent_msg_queue_many is a variadic function reading parameters after the third using va_arg. Specifically it read sizes of buffers using the "gsize" type. On x64 for Windows platform only first 4 argument of agent_msg_queue_many are passed by registers while the rest is passed on the stack. So the size is written in the stack. On x64 gsize is 64 bit while data_size in file_xfer_queue_msg_to_agent is an int which is 32 bit. So in some cases when data_size is stored in the stack in order to call agent_msg_queue_many from file_xfer_queue_msg_to_agent the compiler will write only 32 bit, like for instance with:

mov %ebx,0x28(%rsp)

The problem is that agent_msg_queue_many will use "va_arg(args, gsize)" reading 64 bit instead of 32. In this case the lower 32 bit part will be the "data_size" but the higher 32 bit part will be the previous content of the stack, basically garbage. This will cause the read size to be a huge value and program will crash.

This could not be exploited the operation will lead to only read extra bytes and then crash.

Signed-off-by: Frediano Ziglio fziglio@redhat.com

channel-main: Fix possible crash on Windows

Merge request reports