diff options
author | Mauro Matteo Cascella <mcascell@redhat.com> | 2023-07-04 10:41:22 +0200 |
---|---|---|
committer | Marc-André Lureau <marcandre.lureau@redhat.com> | 2023-07-17 15:20:56 +0400 |
commit | d921fea338c1059a27ce7b75309d7a2e485f710b (patch) | |
tree | f239072cd590cde62cc59fa6af1db4713a5d144f /hw/ide/piix.c | |
parent | 9c18a9234bab9d5e903f897b30fb4a37888aebfc (diff) | |
download | qemu-d921fea338c1059a27ce7b75309d7a2e485f710b.zip qemu-d921fea338c1059a27ce7b75309d7a2e485f710b.tar.gz qemu-d921fea338c1059a27ce7b75309d7a2e485f710b.tar.bz2 |
ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255)
A wrong exit condition may lead to an infinite loop when inflating a
valid zlib buffer containing some extra bytes in the `inflate_buffer`
function. The bug only occurs post-authentication. Return the buffer
immediately if the end of the compressed data has been reached
(Z_STREAM_END).
Fixes: CVE-2023-3255
Fixes: 0bf41cab ("ui/vnc: clipboard support")
Reported-by: Kevin Denis <kevin.denis@synacktiv.com>
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Tested-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-ID: <20230704084210.101822-1-mcascell@redhat.com>
Diffstat (limited to 'hw/ide/piix.c')
0 files changed, 0 insertions, 0 deletions