Commit c952b715 authored Dec 07, 2016 by Marc-André Lureau Committed by Gerd Hoffmann Jan 10, 2017

gtk: avoid oob array access



When too many consoles are created, vcs[] may be write out-of-bounds.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20161207105511.25173-1-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

parent 6250dff3

ui/gtk.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -1706,6 +1706,11 @@ static CharDriverState gd_vc_handler(ChardevVC vc, Error **errp)
		ChardevCommon *common = qapi_ChardevVC_base(vc);
		CharDriverState *chr;

		if (nb_vcs == MAX_VCS) {
		error_setg(errp, "Maximum number of consoles reached");
		return NULL;
		}

		chr = qemu_chr_alloc(common, errp);
		if (!chr) {
		return NULL;