1 Fix CORE-2008-1210 VNC DoS
3 If the client sends us a limit of zero, handle appropriately.
5 Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
7 diff --git a/vnc.c b/vnc.c
8 index 3a7d762..575fd68 100644
11 @@ -1503,10 +1503,13 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
16 - return 4 + (read_u16(data, 2) * 4);
18 + limit = read_u16(data, 2);
20 + return 4 + (limit * 4);
22 + limit = read_u16(data, 2);
24 - limit = read_u16(data, 2);
25 for (i = 0; i < limit; i++) {
26 int32_t val = read_s32(data, 4 + (i * 4));
27 memcpy(data + 4 + (i * 4), &val, sizeof(val));