vnc: Limit r/w access to size of allocated memory
This fixes memory reads and writes which exceeded the upper limit of allocated memory vd->guest.ds->data and vd->server->data. Cc: Anthony Liguori <aliguori@us.ibm.com> Signed-off-by: Stefan Weil <weil@mail.berlios.de> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
This commit is contained in:
parent
175b2a6e4b
commit
9e4dd565b4
3
ui/vnc.c
3
ui/vnc.c
@ -2562,6 +2562,9 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
|
||||
* Update server dirty map.
|
||||
*/
|
||||
cmp_bytes = 16 * ds_get_bytes_per_pixel(vd->ds);
|
||||
if (cmp_bytes > vd->ds->surface->linesize) {
|
||||
cmp_bytes = vd->ds->surface->linesize;
|
||||
}
|
||||
guest_row = vd->guest.ds->data;
|
||||
server_row = vd->server->data;
|
||||
for (y = 0; y < vd->guest.ds->height; y++) {
|
||||
|
Loading…
Reference in New Issue
Block a user