vnc: avoid underflow when accessing user-provided address

If hostlen is zero, there is a possibility that addrstr[hostlen - 1] underflows and, if a closing bracked is there, hostlen - 2 is passed to g_strndup() on the next line. If websocket==false then addrstr[0] would be a colon, but if websocket==true this could in principle happen. Fix it by checking hostlen. Reported by Coverity. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 3f9c41c5df9617510d8533cf6588172efb3df34b) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
author: Paolo Bonzini <pbonzini@redhat.com> 2023-03-30 14:23:40 +0200
committer: Michael Tokarev <mjt@tls.msk.ru> 2023-04-27 08:52:57 +0300
commit: bfc532703f3c4f8d2744748c440ca36ce9798ccb (patch)
tree: 32e0d44d472747aba0c049c3fa1daf9c06b7bb36
parent: 161e1f22b8a288f88efa40590faab1bc4c2d86a9 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/ui/vnc.c b/ui/vnc.c
index 88f55cbf3c..1856d57380 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -3765,7 +3765,7 @@ static int vnc_display_get_address(const char *addrstr,
 
         addr->type = SOCKET_ADDRESS_TYPE_INET;
         inet = &addr->u.inet;
-        if (addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
+        if (hostlen && addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
             inet->host = g_strndup(addrstr + 1, hostlen - 2);
         } else {
             inet->host = g_strndup(addrstr, hostlen);
author	Paolo Bonzini <pbonzini@redhat.com>	2023-03-30 14:23:40 +0200
committer	Michael Tokarev <mjt@tls.msk.ru>	2023-04-27 08:52:57 +0300
commit	bfc532703f3c4f8d2744748c440ca36ce9798ccb (patch)
tree	32e0d44d472747aba0c049c3fa1daf9c06b7bb36
parent	161e1f22b8a288f88efa40590faab1bc4c2d86a9 (diff)