Commit 69dd5c9ffd5c0c6a01ad14b9c6a8d7135ccc2b9a
1 parent
b1503cda
Properly handle the case of SetPixelEncodings with a length of zero.
This commit addresses CORE-2008-1210/CVE-2008-2382. Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6121 c046a42c-6fe2-441c-8c8c-71466251a162
Showing
1 changed file
with
6 additions
and
3 deletions
vnc.c
| @@ -1503,10 +1503,13 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len) | @@ -1503,10 +1503,13 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len) | ||
| 1503 | if (len == 1) | 1503 | if (len == 1) |
| 1504 | return 4; | 1504 | return 4; |
| 1505 | 1505 | ||
| 1506 | - if (len == 4) | ||
| 1507 | - return 4 + (read_u16(data, 2) * 4); | 1506 | + if (len == 4) { |
| 1507 | + limit = read_u16(data, 2); | ||
| 1508 | + if (limit > 0) | ||
| 1509 | + return 4 + (limit * 4); | ||
| 1510 | + } else | ||
| 1511 | + limit = read_u16(data, 2); | ||
| 1508 | 1512 | ||
| 1509 | - limit = read_u16(data, 2); | ||
| 1510 | for (i = 0; i < limit; i++) { | 1513 | for (i = 0; i < limit; i++) { |
| 1511 | int32_t val = read_s32(data, 4 + (i * 4)); | 1514 | int32_t val = read_s32(data, 4 + (i * 4)); |
| 1512 | memcpy(data + 4 + (i * 4), &val, sizeof(val)); | 1515 | memcpy(data + 4 + (i * 4), &val, sizeof(val)); |