aboutsummaryrefslogtreecommitdiff
path: root/vnc.c
diff options
context:
space:
mode:
authoraliguori <aliguori@c046a42c-6fe2-441c-8c8c-71466251a162>2008-12-22 21:06:23 +0000
committeraliguori <aliguori@c046a42c-6fe2-441c-8c8c-71466251a162>2008-12-22 21:06:23 +0000
commit69dd5c9ffd5c0c6a01ad14b9c6a8d7135ccc2b9a (patch)
tree99127996b2af61997af09c92bf7e50e0b9772683 /vnc.c
parentb1503cda1e78cad4dca522ddbb4c69f4c6869bcd (diff)
downloadqemu-69dd5c9ffd5c0c6a01ad14b9c6a8d7135ccc2b9a.zip
qemu-69dd5c9ffd5c0c6a01ad14b9c6a8d7135ccc2b9a.tar.gz
qemu-69dd5c9ffd5c0c6a01ad14b9c6a8d7135ccc2b9a.tar.bz2
Properly handle the case of SetPixelEncodings with a length of zero.
This commit addresses CORE-2008-1210/CVE-2008-2382. Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6121 c046a42c-6fe2-441c-8c8c-71466251a162
Diffstat (limited to 'vnc.c')
-rw-r--r--vnc.c9
1 files changed, 6 insertions, 3 deletions
diff --git a/vnc.c b/vnc.c
index 3a7d76234..575fd68 100644
--- a/vnc.c
+++ b/vnc.c
@@ -1503,10 +1503,13 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
if (len == 1)
return 4;
- if (len == 4)
- return 4 + (read_u16(data, 2) * 4);
+ if (len == 4) {
+ limit = read_u16(data, 2);
+ if (limit > 0)
+ return 4 + (limit * 4);
+ } else
+ limit = read_u16(data, 2);
- limit = read_u16(data, 2);
for (i = 0; i < limit; i++) {
int32_t val = read_s32(data, 4 + (i * 4));
memcpy(data + 4 + (i * 4), &val, sizeof(val));