- upstream fix

author Arkadiusz Miśkiewicz <arekm@maven.pl>

Wed, 21 Jan 2009 08:29:24 +0000 (08:29 +0000)

committer cvs2git <feedback@pld-linux.org>

Sun, 24 Jun 2012 12:13:13 +0000 (12:13 +0000)
author Arkadiusz Miśkiewicz <arekm@maven.pl>
Wed, 21 Jan 2009 08:29:24 +0000 (08:29 +0000)
committer cvs2git <feedback@pld-linux.org>
Sun, 24 Jun 2012 12:13:13 +0000 (12:13 +0000)
diff --git a/qemu-CVE-2008-2382.patch b/qemu-CVE-2008-2382.patch

new file mode 100644 (file)

index 0000000..f5b0458
--- /dev/null
+++ b/qemu-CVE-2008-2382.patch
@@ -0,0 +1,27 @@
+Fix CORE-2008-1210 VNC DoS
+
+If the client sends us a limit of zero, handle appropriately.
+
+Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
+
+diff --git a/vnc.c b/vnc.c
+index 3a7d762..575fd68 100644
+--- a/vnc.c
++++ b/vnc.c
+@@ -1503,10 +1503,13 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
+       if (len == 1)
+           return 4;
+ 
+-      if (len == 4)
+-          return 4 + (read_u16(data, 2) * 4);
++      if (len == 4) {
++            limit = read_u16(data, 2);
++            if (limit > 0)
++                return 4 + (limit * 4);
++        } else
++            limit = read_u16(data, 2);
+ 
+-      limit = read_u16(data, 2);
+       for (i = 0; i < limit; i++) {
+           int32_t val = read_s32(data, 4 + (i * 4));
+           memcpy(data + 4 + (i * 4), &val, sizeof(val));
author	Arkadiusz Miśkiewicz <arekm@maven.pl>
	Wed, 21 Jan 2009 08:29:24 +0000 (08:29 +0000)
committer	cvs2git <feedback@pld-linux.org>
	Sun, 24 Jun 2012 12:13:13 +0000 (12:13 +0000)