Commit baa7666c74e7495c0982afe2a566aabcd4dbe1ac
1 parent
b7ffa3b1
Fix infinite loop in VNC support, by Marc Bevand.
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@3169 c046a42c-6fe2-441c-8c8c-71466251a162
Showing
1 changed file
with
5 additions
and
2 deletions
vnc.c
| @@ -1195,8 +1195,11 @@ static int protocol_client_msg(VncState *vs, char *data, size_t len) | @@ -1195,8 +1195,11 @@ static int protocol_client_msg(VncState *vs, char *data, size_t len) | ||
| 1195 | if (len == 1) | 1195 | if (len == 1) |
| 1196 | return 8; | 1196 | return 8; |
| 1197 | 1197 | ||
| 1198 | - if (len == 8) | ||
| 1199 | - return 8 + read_u32(data, 4); | 1198 | + if (len == 8) { |
| 1199 | + uint32_t dlen = read_u32(data, 4); | ||
| 1200 | + if (dlen > 0) | ||
| 1201 | + return 8 + dlen; | ||
| 1202 | + } | ||
| 1200 | 1203 | ||
| 1201 | client_cut_text(vs, read_u32(data, 4), data + 8); | 1204 | client_cut_text(vs, read_u32(data, 4), data + 8); |
| 1202 | break; | 1205 | break; |