)]}'
{
  "commit": "a2bebfd6e09d285aa793cae3fb0fc3a39a9fee6e",
  "tree": "50dd263e322551021e69347f95dfb0aef5a0a2ac",
  "parents": [
    "b8a86c4ac4d04c106ba38fbd707041cba334a155"
  ],
  "author": {
    "name": "Daniel P. Berrange",
    "email": "berrange@redhat.com",
    "time": "Mon Mar 23 22:58:21 2015 +0000"
  },
  "committer": {
    "name": "Gerd Hoffmann",
    "email": "kraxel@redhat.com",
    "time": "Wed Apr 01 17:11:34 2015 +0200"
  },
  "message": "CVE-2015-1779: incrementally decode websocket frames\n\nThe logic for decoding websocket frames wants to fully\ndecode the frame header and payload, before allowing the\nVNC server to see any of the payload data. There is no\nsize limit on websocket payloads, so this allows a\nmalicious network client to consume 2^64 bytes in memory\nin QEMU. It can trigger this denial of service before\nthe VNC server even performs any authentication.\n\nThe fix is to decode the header, and then incrementally\ndecode the payload data as it is needed. With this fix\nthe websocket decoder will allow at most 4k of data to\nbe buffered before decoding and processing payload.\n\nSigned-off-by: Daniel P. Berrange \u003cberrange@redhat.com\u003e\n\n[ kraxel: fix frequent spurious disconnects, suggested by Peter Maydell ]\n\n  @@ -361,7 +361,7 @@ int vncws_decode_frame_payload(Buffer *input,\n  -        *payload_size \u003d input-\u003eoffset;\n  +        *payload_size \u003d *payload_remain;\n\n[ kraxel: fix 32bit build ]\n\n  @@ -306,7 +306,7 @@ struct VncState\n  -    uint64_t ws_payload_remain;\n  +    size_t ws_payload_remain;\n\nSigned-off-by: Gerd Hoffmann \u003ckraxel@redhat.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "85dbb7e6ae36d3421c21cf0d7c517b121de2bb56",
      "old_mode": 33188,
      "old_path": "ui/vnc-ws.c",
      "new_id": "0b7de4e6628d6e704c8f72f6760ef3dd7515664c",
      "new_mode": 33188,
      "new_path": "ui/vnc-ws.c"
    },
    {
      "type": "modify",
      "old_id": "ef229b7c0c437600c06576726f4cae0f3ce4a578",
      "old_mode": 33188,
      "old_path": "ui/vnc-ws.h",
      "new_id": "14d4230eff149d61859fdbd00862ff71f2c53f08",
      "new_mode": 33188,
      "new_path": "ui/vnc-ws.h"
    },
    {
      "type": "modify",
      "old_id": "e19ac396f285c0e4b4c07a250f459c0e0e749735",
      "old_mode": 33188,
      "old_path": "ui/vnc.h",
      "new_id": "3f7c6a9bc6344a310cdbe22d721e71d540061f9f",
      "new_mode": 33188,
      "new_path": "ui/vnc.h"
    }
  ]
}