Github user mike-jumper commented on a diff in the pull request:
https://github.com/apache/guacamole-server/pull/183#discussion_r216484687
--- Diff: src/libguac/parser.c ---
@@ -222,7 +222,11 @@ int guac_parser_read(guac_parser* parser, guac_socket*
socket, int usec_timeout)
retval = guac_socket_select(socket, usec_timeout);
if (retval <= 0)
return -1;
-
+
+ /* Reset pointers if instruction buf len is less than max
instruction len */
+ if (buffer_end - unparsed_end < GUAC_INSTRUCTION_MAX_LENGTH)
+ unparsed_end = unparsed_start = parser->__instructionbuf;
--- End diff --
This can result in the corruption of the in-progress instruction. There is
no guarantee that the sequence of reads which trigger the `if` condition will
not (for example) split part of an instruction element. While the normal
pattern of updates to `unparsed_start` and `unparsed_end` would guarantee that
the sequence of reads ultimately builds a contiguous instruction, that
guarantee is lost if those pointers are updated in this way - reads are
suddenly no longer contiguous.
---
