42 lines
1.4 KiB
Diff
42 lines
1.4 KiB
Diff
From 3d6a5be54f59b86db1d9513cff24ca6f7d002400 Mon Sep 17 00:00:00 2001
|
|
From: qihao <qihao_yewu@cmss.chinamobile.com>
|
|
Date: Tue, 27 Jun 2023 17:39:56 +0800
|
|
Subject: [PATCH] vnc: avoid underflow when accessing user-provided address
|
|
|
|
cheery-pick from bfc532703f3c4f8d2744748c440ca36ce9798ccb
|
|
|
|
If hostlen is zero, there is a possibility that addrstr[hostlen - 1]
|
|
underflows and, if a closing bracked is there, hostlen - 2 is passed
|
|
to g_strndup() on the next line. If websocket==false then
|
|
addrstr[0] would be a colon, but if websocket==true this could in
|
|
principle happen.
|
|
|
|
Fix it by checking hostlen.
|
|
|
|
Reported by Coverity.
|
|
|
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
(cherry picked from commit 3f9c41c5df9617510d8533cf6588172efb3df34b)
|
|
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
|
|
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
|
|
---
|
|
ui/vnc.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/ui/vnc.c b/ui/vnc.c
|
|
index 91e067ba7c..f4322a9065 100644
|
|
--- a/ui/vnc.c
|
|
+++ b/ui/vnc.c
|
|
@@ -3761,7 +3761,7 @@ static int vnc_display_get_address(const char *addrstr,
|
|
|
|
addr->type = SOCKET_ADDRESS_TYPE_INET;
|
|
inet = &addr->u.inet;
|
|
- if (addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
|
|
+ if (hostlen && addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
|
|
inet->host = g_strndup(addrstr + 1, hostlen - 2);
|
|
} else {
|
|
inet->host = g_strndup(addrstr, hostlen);
|
|
--
|
|
2.41.0.windows.1
|
|
|