[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH 07/32] CVE-2014-7815: vnc: sanitize bits_per_pixel from the client

To: Xen-devel <xen-devel@xxxxxxxxxxxxx>
From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Date: Wed, 22 Apr 2015 16:07:44 +0100
Delivery-date: Wed, 22 Apr 2015 15:11:57 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

Backport of qemu-upstream:
 * e6908bfe8e07f2b452e78e677da1b45b1c0f6829

Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
 vnc.c |   10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/vnc.c b/vnc.c
index 7629dfa..7006a34 100644
--- a/vnc.c
+++ b/vnc.c
@@ -1616,6 +1616,16 @@ static void set_pixel_format(VncState *vs,
         return;
     }
 
+    switch (bits_per_pixel) {
+    case 8:
+    case 16:
+    case 32:
+        break;
+    default:
+        vnc_client_error(vs);
+        return;
+    }
+
     vs->clientds = vs->serverds;
     vs->clientds.pf.rmax = red_max;
     count_bits(vs->clientds.pf.rbits, red_max);
-- 
1.7.10.4


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

References:
- [Xen-devel] [PATCH 00/32] Qemu Traditional bugfixes
  - From: Andrew Cooper
- [Xen-devel] [PATCH 01/32] virtio-blk: initialise unused blkcfg.size_max field
  - From: Andrew Cooper

Prev by Date: [Xen-devel] [PATCH 03/32] lm832x: don't overrun file buffer on save/restore
Next by Date: [Xen-devel] [PATCH 05/32] usb-linux.c: fix buffer overflow
Previous by thread: [Xen-devel] [PATCH 03/32] lm832x: don't overrun file buffer on save/restore
Next by thread: [Xen-devel] [PATCH 05/32] usb-linux.c: fix buffer overflow
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.