Commit baa7666c74e7495c0982afe2a566aabcd4dbe1ac
1 parent
b7ffa3b1
Fix infinite loop in VNC support, by Marc Bevand.
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@3169 c046a42c-6fe2-441c-8c8c-71466251a162
Showing
1 changed file
with
5 additions
and
2 deletions
vnc.c
| ... | ... | @@ -1195,8 +1195,11 @@ static int protocol_client_msg(VncState *vs, char *data, size_t len) |
| 1195 | 1195 | if (len == 1) |
| 1196 | 1196 | return 8; |
| 1197 | 1197 | |
| 1198 | - if (len == 8) | |
| 1199 | - return 8 + read_u32(data, 4); | |
| 1198 | + if (len == 8) { | |
| 1199 | + uint32_t dlen = read_u32(data, 4); | |
| 1200 | + if (dlen > 0) | |
| 1201 | + return 8 + dlen; | |
| 1202 | + } | |
| 1200 | 1203 | |
| 1201 | 1204 | client_cut_text(vs, read_u32(data, 4), data + 8); |
| 1202 | 1205 | break; | ... | ... |