From 69dd5c9ffd5c0c6a01ad14b9c6a8d7135ccc2b9a Mon Sep 17 00:00:00 2001 From: aliguori Date: Mon, 22 Dec 2008 21:06:23 +0000 Subject: [PATCH] Properly handle the case of SetPixelEncodings with a length of zero. This commit addresses CORE-2008-1210/CVE-2008-2382. Signed-off-by: Anthony Liguori git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6121 c046a42c-6fe2-441c-8c8c-71466251a162 --- vnc.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/vnc.c b/vnc.c index 3a7d76234a..575fd68983 100644 --- a/vnc.c +++ b/vnc.c @@ -1503,10 +1503,13 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len) if (len == 1) return 4; - if (len == 4) - return 4 + (read_u16(data, 2) * 4); + if (len == 4) { + limit = read_u16(data, 2); + if (limit > 0) + return 4 + (limit * 4); + } else + limit = read_u16(data, 2); - limit = read_u16(data, 2); for (i = 0; i < limit; i++) { int32_t val = read_s32(data, 4 + (i * 4)); memcpy(data + 4 + (i * 4), &val, sizeof(val)); -- 2.34.1