aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPeter Maydell <peter.maydell@linaro.org>2014-10-30 18:21:25 +0000
committerPeter Maydell <peter.maydell@linaro.org>2014-10-30 18:21:25 +0000
commitfecd54ccd79c647d7161878c92eba9bf37a4279d (patch)
tree635a63410b4a77a0e2f79afbcb987ea982ce49d3
parentf33f43bd86beb94ae1be14a62dc89cbeb4a665bb (diff)
parent9d6b20704734fe1ab789400806ebd54f579d50a2 (diff)
Merge remote-tracking branch 'remotes/kraxel/tags/pull-vnc-20141028-1' into staging
vnc: return directly if no vnc client connected vnc: sanitize bits_per_pixel from the client (CVE-2014-7815) # gpg: Signature made Tue 28 Oct 2014 10:52:31 GMT using RSA key ID D3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" * remotes/kraxel/tags/pull-vnc-20141028-1: vnc: return directly if no vnc client connected vnc: sanitize bits_per_pixel from the client Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-rw-r--r--ui/vnc.c20
1 files changed, 15 insertions, 5 deletions
diff --git a/ui/vnc.c b/ui/vnc.c
index 0fe6eff1b8..57070150d4 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -2026,6 +2026,16 @@ static void set_pixel_format(VncState *vs,
return;
}
+ switch (bits_per_pixel) {
+ case 8:
+ case 16:
+ case 32:
+ break;
+ default:
+ vnc_client_error(vs);
+ return;
+ }
+
vs->client_pf.rmax = red_max;
vs->client_pf.rbits = hweight_long(red_max);
vs->client_pf.rshift = red_shift;
@@ -2768,6 +2778,11 @@ static void vnc_refresh(DisplayChangeListener *dcl)
VncState *vs, *vn;
int has_dirty, rects = 0;
+ if (QTAILQ_EMPTY(&vd->clients)) {
+ update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_MAX);
+ return;
+ }
+
graphic_hw_update(NULL);
if (vnc_trylock_display(vd)) {
@@ -2783,11 +2798,6 @@ static void vnc_refresh(DisplayChangeListener *dcl)
/* vs might be free()ed here */
}
- if (QTAILQ_EMPTY(&vd->clients)) {
- update_displaychangelistener(&vd->dcl, VNC_REFRESH_INTERVAL_MAX);
- return;
- }
-
if (has_dirty && rects) {
vd->dcl.update_interval /= 2;
if (vd->dcl.update_interval < VNC_REFRESH_INTERVAL_BASE) {