From ebfbf394671163c14e2b24d98f3927a3151d1aff Mon Sep 17 00:00:00 2001 From: Fiona Ebner Date: Wed, 22 Nov 2023 13:58:26 +0100 Subject: [PATCH] ui/vnc-clipboard: fix inflate_buffer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Commit d921fea338 ("ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255)") removed this hunk, but it is still required, because it can happen that stream.avail_in becomes zero before coming across a return value of Z_STREAM_END in the loop. This fixes the host->guest direction of the clipboard with noVNC and TigerVNC as clients. Fixes: d921fea338 ("ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255)") Reported-by: Friedrich Weber Signed-off-by: Fiona Ebner Acked-by: Marc-André Lureau Message-Id: <20231122125826.228189-1-f.ebner@proxmox.com> --- ui/vnc-clipboard.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c index c759be3438..124b6fbd9c 100644 --- a/ui/vnc-clipboard.c +++ b/ui/vnc-clipboard.c @@ -69,6 +69,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size) } } + *size = stream.total_out; + inflateEnd(&stream); + + return out; + err_end: inflateEnd(&stream); err: