From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Fri, 6 Oct 2017 09:38:31 +0100
Subject: [spice-server] inputs-channel: Check message size handling migration
 data

Prevent possible buffer reading overflow.
Note that message pointer must be valid and data are checked
value by value so even on overflow you just get an error.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
---
 server/inputs-channel.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/server/inputs-channel.c b/server/inputs-channel.c
index 8e17cc724..11a338a26 100644
--- a/server/inputs-channel.c
+++ b/server/inputs-channel.c
@@ -505,6 +505,11 @@ static bool inputs_channel_handle_migrate_data(RedChannelClient *rcc,
     SpiceMigrateDataHeader *header;
     SpiceMigrateDataInputs *mig_data;
 
+    if (size < sizeof(SpiceMigrateDataHeader) + sizeof(SpiceMigrateDataInputs)) {
+        spice_warning("bad message size %u", size);
+        return FALSE;
+    }
+
     header = (SpiceMigrateDataHeader *)message;
     mig_data = (SpiceMigrateDataInputs *)(header + 1);