Bad agent_message_monitors_config_from_le check
The server crashes when receiving monitor-config with physical size:
==240204==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b0001dfe1c at pc 0x7fa3955182e1 bp 0x7ffc9d5f3a00 sp 0x7ffc9d5f39f8
READ of size 2 at 0x61b0001dfe1c thread T0
#0 0x7fa3955182e0 in uint16_from_le ../subprojects/spice-common/common/agent.c:137
#1 0x7fa395519dd2 in agent_message_monitors_config_from_le ../subprojects/spice-common/common/agent.c:267
#2 0x7fa395519fea in agent_check_message ../subprojects/spice-common/common/agent.c:295
#3 0x7fa3953c5577 in reds_on_main_agent_monitors_config ../server/reds.cpp:1150
#4 0x7fa3953c58f5 in reds_on_main_agent_data ../server/reds.cpp:1180
#5 0x7fa39530638f in MainChannelClient::handle_message(unsigned short, unsigned int, void*) ../server/main-channel.cpp:151
#6 0x7fa39535a2fd in RedChannelClient::handle_incoming() ../server/red-channel-client.cpp:1104
#7 0x7fa39535ab63 in RedChannelClient::receive() ../server/red-channel-client.cpp:1123
#8 0x7fa3953520d9 in red_channel_client_event ../server/red-channel-client.cpp:738
#9 0x7fa3964d967e in watch_read ../ui/spice-core.c:93
#10 0x55d53ebb23ce in aio_dispatch_handler ../util/aio-posix.c:329
#11 0x55d53ebb2de9 in aio_dispatch_handlers ../util/aio-posix.c:372
#12 0x55d53ebb2eed in aio_dispatch ../util/aio-posix.c:382
#13 0x55d53eb1acc1 in aio_ctx_dispatch ../util/async.c:306
#14 0x7fa39c6eceda in g_main_dispatch ../glib/gmain.c:3337
#15 0x7fa39c6eddfd in g_main_context_dispatch ../glib/gmain.c:4055
#16 0x55d53eb5f79d in glib_pollfds_poll ../util/main-loop.c:231
#17 0x55d53eb5f97a in os_host_main_loop_wait ../util/main-loop.c:254
#18 0x55d53eb5fc70 in main_loop_wait ../util/main-loop.c:530
#19 0x55d53e33ef2a in qemu_main_loop ../softmmu/runstate.c:725
#20 0x55d53d143055 in main ../softmmu/main.c:50
#21 0x7fa39b4231e1 in __libc_start_main ../csu/libc-start.c:314
#22 0x55d53d142f6d in _start (/home/elmarco/src/qemu/build/qemu-system-x86_64+0x28e1f6d)
0x61b0001dfe1c is located 0 bytes to the right of 1436-byte region [0x61b0001df880,0x61b0001dfe1c)
allocated by thread T0 here:
#0 0x7fa39d138748 in __interceptor_realloc (/lib64/libasan.so.6+0xab748)
#1 0x7fa395577d99 in spice_realloc ../subprojects/spice-common/common/mem.c:120
#2 0x7fa39557915b in spice_buffer_reserve ../subprojects/spice-common/common/mem.c:246
#3 0x7fa395579610 in spice_buffer_append ../subprojects/spice-common/common/mem.c:275
#4 0x7fa3953c4e2b in reds_on_main_agent_monitors_config ../server/reds.cpp:1128
#5 0x7fa3953c58f5 in reds_on_main_agent_data ../server/reds.cpp:1180
#6 0x7fa39530638f in MainChannelClient::handle_message(unsigned short, unsigned int, void*) ../server/main-channel.cpp:151
#7 0x7fa39535a2fd in RedChannelClient::handle_incoming() ../server/red-channel-client.cpp:1104
#8 0x7fa39535ab63 in RedChannelClient::receive() ../server/red-channel-client.cpp:1123
#9 0x7fa3953520d9 in red_channel_client_event ../server/red-channel-client.cpp:738
#10 0x7fa3964d967e in watch_read ../ui/spice-core.c:93
#11 0x55d53ebb23ce in aio_dispatch_handler ../util/aio-posix.c:329
#12 0x55d53ebb2de9 in aio_dispatch_handlers ../util/aio-posix.c:372
#13 0x55d53ebb2eed in aio_dispatch ../util/aio-posix.c:382
#14 0x55d53eb1acc1 in aio_ctx_dispatch ../util/async.c:306
#15 0x7fa39c6eceda in g_main_dispatch ../glib/gmain.c:3337
#16 0x7fa39c6eddfd in g_main_context_dispatch ../glib/gmain.c:4055
#17 0x55d53eb5f79d in glib_pollfds_poll ../util/main-loop.c:231
#18 0x55d53eb5f97a in os_host_main_loop_wait ../util/main-loop.c:254
#19 0x55d53eb5fc70 in main_loop_wait ../util/main-loop.c:530
#20 0x55d53e33ef2a in qemu_main_loop ../softmmu/runstate.c:725
#21 0x55d53d143055 in main ../softmmu/main.c:50
#22 0x7fa39b4231e1 in __libc_start_main ../csu/libc-start.c:314
SUMMARY: AddressSanitizer: heap-buffer-overflow ../subprojects/spice-common/common/agent.c:137 in uint16_from_le