mii/qemu
1
0
Fork 0
mirror of https://github.com/mii443/qemu.git synced 2025-08-22 23:25:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

vnc: avoid underflow when accessing user-provided address

Browse Source 
If hostlen is zero, there is a possibility that addrstr[hostlen - 1]
underflows and, if a closing bracked is there, hostlen - 2 is passed
to g_strndup() on the next line.  If websocket==false then
addrstr[0] would be a colon, but if websocket==true this could in
principle happen.

Fix it by checking hostlen.

Reported by Coverity.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 3f9c41c5df)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
This commit is contained in:
Paolo Bonzini
2023-03-30 14:23:40 +02:00
committed by Michael Tokarev
parent c1eb2ddf0f
commit 6f7b9f7b6f
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
ui/vnc.c
View File

@ -3751,7 +3751,7 @@ static int vnc_display_get_address(const char *addrstr,
addr->type = SOCKET_ADDRESS_TYPE_INET;
inet = &addr->u.inet;
if (addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
if (hostlen && addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
inet->host = g_strndup(addrstr + 1, hostlen - 2);
} else {
inet->host = g_strndup(addrstr, hostlen);