diff options
author | Paolo Bonzini <pbonzini@redhat.com> | 2023-03-30 14:23:40 +0200 |
---|---|---|
committer | Paolo Bonzini <pbonzini@redhat.com> | 2023-04-20 11:17:35 +0200 |
commit | 3f9c41c5df9617510d8533cf6588172efb3df34b (patch) | |
tree | ebb251784ad78c2dff960cd3f607e40028b28575 /ui | |
parent | 3488fc326297831e5d57e6d49ed17d9c1c6d056b (diff) | |
download | qemu-3f9c41c5df9617510d8533cf6588172efb3df34b.zip qemu-3f9c41c5df9617510d8533cf6588172efb3df34b.tar.gz qemu-3f9c41c5df9617510d8533cf6588172efb3df34b.tar.bz2 |
vnc: avoid underflow when accessing user-provided address
If hostlen is zero, there is a possibility that addrstr[hostlen - 1]
underflows and, if a closing bracked is there, hostlen - 2 is passed
to g_strndup() on the next line. If websocket==false then
addrstr[0] would be a colon, but if websocket==true this could in
principle happen.
Fix it by checking hostlen.
Reported by Coverity.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'ui')
-rw-r--r-- | ui/vnc.c | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -3751,7 +3751,7 @@ static int vnc_display_get_address(const char *addrstr, addr->type = SOCKET_ADDRESS_TYPE_INET; inet = &addr->u.inet; - if (addrstr[0] == '[' && addrstr[hostlen - 1] == ']') { + if (hostlen && addrstr[0] == '[' && addrstr[hostlen - 1] == ']') { inet->host = g_strndup(addrstr + 1, hostlen - 2); } else { inet->host = g_strndup(addrstr, hostlen); |