gentoo-overlay/app-emulation/spice/files/0.13.1-CVE-2016-0749-p1.patch

From fd4a179a15882234f86ded87905a240dc76a9445 Mon Sep 17 00:00:00 2001
From: Matthias Maier <tamiko@43-1.org>
Date: Tue, 14 Jun 2016 00:08:05 -0500
Subject: [PATCH 1/2] Port fix for CVE-2016-0749 to 0.13.1, part I

This is a port of

  0065-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch

to version 0.13.1

Original commit message:

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Marc-Andre Lureau <marcandre.lureau@redhat.com>
Date: Thu, 17 Dec 2015 18:13:47 +0100
Subject: [PATCH] smartcard: add a ref to item before adding to pipe

There is an unref when the message is sent.

[...]

Signed-off-by: Marc-Andre Lureau <marcandre.lureau@redhat.com>
---
 server/smartcard.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/server/smartcard.c b/server/smartcard.c
index ba6f2f5..96e4295 100644
--- a/server/smartcard.c
+++ b/server/smartcard.c
@@ -181,14 +181,18 @@ static void smartcard_unref_msg_to_client(RedCharDeviceMsgToClient *msg,
     smartcard_unref_vsc_msg_item((MsgItem *)msg);
 }
 
-static void smartcard_send_msg_to_client(RedCharDeviceMsgToClient *msg,
+static void smartcard_send_msg_to_client(RedCharDeviceMsgToClient *message,
                                          RedClient *client,
                                          void *opaque)
 {
     RedCharDeviceSmartcard *dev = opaque;
-    spice_assert(dev->priv->scc && dev->priv->scc->base.client == client);
-    smartcard_channel_client_pipe_add_push(&dev->priv->scc->base, &((MsgItem *)msg)->base);
 
+    MsgItem *msg = (MsgItem *)message;
+    PipeItem *item = &msg->base;
+
+    spice_assert(dev->priv->scc && dev->priv->scc->base.client == client);
+    smartcard_ref_vsc_msg_item(msg);
+    smartcard_channel_client_pipe_add_push(&dev->priv->scc->base, item);
 }
 
 static void smartcard_send_tokens_to_client(RedClient *client, uint32_t tokens, void *opaque)
-- 
2.7.3