[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] f9a70e: ui/vnc: limit client_cut_text msg pay
|
From: |
GitHub |
|
Subject: |
[Qemu-commits] [qemu/qemu] f9a70e: ui/vnc: limit client_cut_text msg payload size |
|
Date: |
Tue, 01 Jul 2014 08:30:06 -0700 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: f9a70e79391f6d7c2a912d785239ee8effc1922d
https://github.com/qemu/qemu/commit/f9a70e79391f6d7c2a912d785239ee8effc1922d
Author: Peter Lieven <address@hidden>
Date: 2014-07-01 (Tue, 01 Jul 2014)
Changed paths:
M ui/vnc.c
Log Message:
-----------
ui/vnc: limit client_cut_text msg payload size
currently a malicious client could define a payload
size of 2^32 - 1 bytes and send up to that size of
data to the vnc server. The server would allocated
that amount of memory which could easily create an
out of memory condition.
This patch limits the payload size to 1MB max.
Please note that client_cut_text messages are currently
silently ignored.
Signed-off-by: Peter Lieven <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
Commit: bea60dd7679364493a0d7f5b54316c767cf894ef
https://github.com/qemu/qemu/commit/bea60dd7679364493a0d7f5b54316c767cf894ef
Author: Peter Lieven <address@hidden>
Date: 2014-07-01 (Tue, 01 Jul 2014)
Changed paths:
M ui/vnc.c
M ui/vnc.h
Log Message:
-----------
ui/vnc: fix potential memory corruption issues
this patch makes the VNC server work correctly if the
server surface and the guest surface have different sizes.
Basically the server surface is adjusted to not exceed VNC_MAX_WIDTH
x VNC_MAX_HEIGHT and additionally the width is rounded up to multiple of
VNC_DIRTY_PIXELS_PER_BIT.
If we have a resolution whose width is not dividable by VNC_DIRTY_PIXELS_PER_BIT
we now get a small black bar on the right of the screen.
If the surface is too big to fit the limits only the upper left area is shown.
On top of that this fixes 2 memory corruption issues:
The first was actually discovered during playing
around with a Windows 7 vServer. During resolution
change in Windows 7 it happens sometimes that Windows
changes to an intermediate resolution where
server_stride % cmp_bytes != 0 (in vnc_refresh_server_surface).
This happens only if width % VNC_DIRTY_PIXELS_PER_BIT != 0.
The second is a theoretical issue, but is maybe exploitable
by the guest. If for some reason the guest surface size is bigger
than VNC_MAX_WIDTH x VNC_MAX_HEIGHT we end up in severe corruption since
this limit is nowhere enforced.
Signed-off-by: Peter Lieven <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
Commit: f9119a25729644300046efda3dd9f50d68fe2106
https://github.com/qemu/qemu/commit/f9119a25729644300046efda3dd9f50d68fe2106
Author: Peter Maydell <address@hidden>
Date: 2014-07-01 (Tue, 01 Jul 2014)
Changed paths:
M ui/vnc.c
M ui/vnc.h
Log Message:
-----------
Merge remote-tracking branch 'remotes/kraxel/tags/pull-vnc-20140701-1' into
staging
vnc: two bugfixes (by Peter Lieven).
# gpg: Signature made Tue 01 Jul 2014 12:32:19 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <address@hidden>"
# gpg: aka "Gerd Hoffmann <address@hidden>"
# gpg: aka "Gerd Hoffmann (private) <address@hidden>"
* remotes/kraxel/tags/pull-vnc-20140701-1:
ui/vnc: fix potential memory corruption issues
ui/vnc: limit client_cut_text msg payload size
Signed-off-by: Peter Maydell <address@hidden>
Compare: https://github.com/qemu/qemu/compare/1aa85f46b336...f9119a257296
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] f9a70e: ui/vnc: limit client_cut_text msg payload size,
GitHub <=