1. Patchew
  2. QEMU
  3. View series

[PATCH] ui/vnc-clipboard: validate decompressed text length

zhaoguohan@kylinos.cn posted 1 patch 2 weeks ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20260415012336.964736-1-zhaoguohan@kylinos.cn
Maintainers: "Marc-André Lureau" <marcandre.lureau@redhat.com>
ui/vnc-clipboard.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
[PATCH] ui/vnc-clipboard: validate decompressed text length
Posted by zhaoguohan@kylinos.cn 2 weeks ago 
From: GuoHan Zhao <zhaoguohan@kylinos.cn>

The decompressed clipboard data starts with a 32-bit text length.
Check that the advertised length fits in the payload after that
header before passing it to qemu_clipboard_set_data().

Otherwise a malformed VNC clipboard message can make QEMU read past
the end of the decompressed buffer.

Fixes: 0bf41cab93e5 ("ui/vnc: clipboard support")
Signed-off-by: GuoHan Zhao <zhaoguohan@kylinos.cn>
---
 ui/vnc-clipboard.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c
index 124b6fbd9c23..85851a632dba 100644
--- a/ui/vnc-clipboard.c
+++ b/ui/vnc-clipboard.c
@@ -281,8 +281,8 @@ void vnc_client_cut_text_ext(VncState *vs, int32_t len, uint32_t flags, uint8_t
         if ((flags & VNC_CLIPBOARD_TEXT) &&
             buf && size >= 4) {
             uint32_t tsize = read_u32(buf, 0);
-            uint8_t *tbuf = buf + 4;
-            if (tsize < size) {
+            uint8_t *tbuf = buf + sizeof(tsize);
+            if (tsize <= size - sizeof(tsize)) {
                 qemu_clipboard_set_data(&vs->cbpeer, vs->cbinfo,
                                         QEMU_CLIPBOARD_TYPE_TEXT,
                                         tsize, tbuf, true);
-- 
2.43.0
Re: [PATCH] ui/vnc-clipboard: validate decompressed text length
Posted by Marc-André Lureau 2 weeks ago 
Hi

On Wed, Apr 15, 2026 at 5:24 AM <zhaoguohan@kylinos.cn> wrote:
>
> From: GuoHan Zhao <zhaoguohan@kylinos.cn>
>
> The decompressed clipboard data starts with a 32-bit text length.
> Check that the advertised length fits in the payload after that
> header before passing it to qemu_clipboard_set_data().
>
> Otherwise a malformed VNC clipboard message can make QEMU read past
> the end of the decompressed buffer.
>
> Fixes: 0bf41cab93e5 ("ui/vnc: clipboard support")
> Signed-off-by: GuoHan Zhao <zhaoguohan@kylinos.cn>

Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>

> ---
>  ui/vnc-clipboard.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c
> index 124b6fbd9c23..85851a632dba 100644
> --- a/ui/vnc-clipboard.c
> +++ b/ui/vnc-clipboard.c
> @@ -281,8 +281,8 @@ void vnc_client_cut_text_ext(VncState *vs, int32_t len, uint32_t flags, uint8_t
>          if ((flags & VNC_CLIPBOARD_TEXT) &&
>              buf && size >= 4) {
>              uint32_t tsize = read_u32(buf, 0);
> -            uint8_t *tbuf = buf + 4;
> -            if (tsize < size) {
> +            uint8_t *tbuf = buf + sizeof(tsize);
> +            if (tsize <= size - sizeof(tsize)) {
>                  qemu_clipboard_set_data(&vs->cbpeer, vs->cbinfo,
>                                          QEMU_CLIPBOARD_TYPE_TEXT,
>                                          tsize, tbuf, true);
> --
> 2.43.0
>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.