Snippets Groups Projects

Commit d307040b authored 2 years ago by Mauro Matteo Cascella Committed by Gerd Hoffmann 2 years ago

ui/vnc-clipboard: fix integer underflow in vnc_client_cut_text_ext


Extended ClientCutText messages start with a 4-byte header. If len < 4,
an integer underflow occurs in vnc_client_cut_text_ext. The result is
used to decompress data in a while loop in inflate_buffer, leading to
CPU consumption and denial of service. Prevent this by checking dlen in
protocol_client_msg.

Fixes: CVE-2022-3165
Fixes: 0bf41cab ("ui/vnc: clipboard support")
Reported-by: TangPeng <tangpeng@qianxin.com>
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Message-Id: <20220925204511.1103214-1-mcascell@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

parent b6d93282

No related branches found

No related tags found

No related merge requests found

Show whitespace changes

Inline Side-by-side

Showing with 8 additions and 3 deletions

Nicolas Dechesne @ndec
mentioned in commit openembedded/openembedded-core@c7eb6da6
· 2 years ago

mentioned in commit openembedded/openembedded-core@c7eb6da6

mentioned in commit openembedded/openembedded-core@c7eb6da6fa68caf2fb0becbbebeea5e8ea2c9c56

Toggle commit list
Sean Letzer @sletzer
mentioned in commit raspet/yocto/poky@52e9ab5d
· 2 years ago

mentioned in commit raspet/yocto/poky@52e9ab5d

mentioned in commit raspet/yocto/poky@52e9ab5da1f445266c94b0c6432ddc2747fdc2c0

Toggle commit list

Please register or to comment