Commit dffa1de0 authored Feb 05, 2018 by Daniel P. Berrangé Committed by Gerd Hoffmann Feb 16, 2018

ui: avoid risk of 32-bit int overflow in VNC buffer check



For very large framebuffers, it is theoretically possible for the result
of 'vs->throttle_output_offset * VNC_THROTTLE_OUTPUT_LIMIT_SCALE' to
exceed the size of a 32-bit int. For this to happen in practice, the
video RAM would have to be set to a large enough value, which is not
likely today. None the less we can be paranoid against future growth by
using division instead of multiplication when checking the limits.

Reported-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20180205114938.15784-2-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

parent 8dfa3061

ui/vnc.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -1579,8 +1579,8 @@ void vnc_write(VncState vs, const void data, size_t len)
		* handshake, or from the job thread's VncState clone
		*/
		if (vs->throttle_output_offset != 0 &&
		vs->output.offset > (vs->throttle_output_offset *
		VNC_THROTTLE_OUTPUT_LIMIT_SCALE)) {
		(vs->output.offset / VNC_THROTTLE_OUTPUT_LIMIT_SCALE) >
		vs->throttle_output_offset) {
		trace_vnc_client_output_limit(vs, vs->ioc, vs->output.offset,
		vs->throttle_output_offset);
		vnc_disconnect_start(vs);