Properly handle the case of SetPixelEncodings with a length of zero. This commit addresses CORE-2008-1210/CVE-2008-2382. Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6121 c046a42c-6fe2-441c-8c8c-71466251a162

commit: 69dd5c9ffd5c0c6a01ad14b9c6a8d7135ccc2b9a [log] [tgz]
author: aliguori <aliguori@c046a42c-6fe2-441c-8c8c-71466251a162> Mon Dec 22 21:06:23 2008 +0000
committer: aliguori <aliguori@c046a42c-6fe2-441c-8c8c-71466251a162> Mon Dec 22 21:06:23 2008 +0000
tree: 99127996b2af61997af09c92bf7e50e0b9772683
parent: b1503cda1e78cad4dca522ddbb4c69f4c6869bcd [diff] [blame]
diff --git a/vnc.c b/vnc.c
index 3a7d762..575fd68 100644
--- a/vnc.c
+++ b/vnc.c

@@ -1503,10 +1503,13 @@
 	if (len == 1)
 	    return 4;
 
-	if (len == 4)
-	    return 4 + (read_u16(data, 2) * 4);
+	if (len == 4) {
+            limit = read_u16(data, 2);
+            if (limit > 0)
+                return 4 + (limit * 4);
+        } else
+            limit = read_u16(data, 2);
 
-	limit = read_u16(data, 2);
 	for (i = 0; i < limit; i++) {
 	    int32_t val = read_s32(data, 4 + (i * 4));
 	    memcpy(data + 4 + (i * 4), &val, sizeof(val));
commit	69dd5c9ffd5c0c6a01ad14b9c6a8d7135ccc2b9a	[log] [tgz]
author	aliguori <aliguori@c046a42c-6fe2-441c-8c8c-71466251a162>	Mon Dec 22 21:06:23 2008 +0000
committer	aliguori <aliguori@c046a42c-6fe2-441c-8c8c-71466251a162>	Mon Dec 22 21:06:23 2008 +0000
tree	99127996b2af61997af09c92bf7e50e0b9772683
parent	b1503cda1e78cad4dca522ddbb4c69f4c6869bcd [diff] [blame]