Properly handle the case of SetPixelEncodings with a length of zero.
authoraliguori <aliguori@c046a42c-6fe2-441c-8c8c-71466251a162>
Mon, 22 Dec 2008 21:06:23 +0000 (21:06 +0000)
committeraliguori <aliguori@c046a42c-6fe2-441c-8c8c-71466251a162>
Mon, 22 Dec 2008 21:06:23 +0000 (21:06 +0000)
This commit addresses CORE-2008-1210/CVE-2008-2382.

Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6121 c046a42c-6fe2-441c-8c8c-71466251a162

vnc.c

diff --git a/vnc.c b/vnc.c
index 3a7d76234a733c22271020dacc005d4ae3d11636..575fd68983d21ba8c95c56ff2ca85526198d93b4 100644 (file)
--- a/vnc.c
+++ b/vnc.c
@@ -1503,10 +1503,13 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
        if (len == 1)
            return 4;
 
-       if (len == 4)
-           return 4 + (read_u16(data, 2) * 4);
+       if (len == 4) {
+            limit = read_u16(data, 2);
+            if (limit > 0)
+                return 4 + (limit * 4);
+        } else
+            limit = read_u16(data, 2);
 
-       limit = read_u16(data, 2);
        for (i = 0; i < limit; i++) {
            int32_t val = read_s32(data, 4 + (i * 4));
            memcpy(data + 4 + (i * 4), &val, sizeof(val));