Hi
On Wed, Nov 22, 2023 at 5:00 PM Fiona Ebner <[email protected]> wrote:
>
> Commit d921fea338 ("ui/vnc-clipboard: fix infinite loop in
> inflate_buffer (CVE-2023-3255)") removed this hunk, but it is still
> required, because it can happen that stream.avail_in becomes zero
> before coming across a return value of Z_STREAM_END in the loop.
Isn't this an error from the client side then?
>
> This fixes the host->guest direction of the clipboard with noVNC and
> TigerVNC as clients.
>
> Fixes: d921fea338 ("ui/vnc-clipboard: fix infinite loop in inflate_buffer
> (CVE-2023-3255)")
> Reported-by: Friedrich Weber <[email protected]>
> Signed-off-by: Fiona Ebner <[email protected]>
> ---
> ui/vnc-clipboard.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c
> index c759be3438..124b6fbd9c 100644
> --- a/ui/vnc-clipboard.c
> +++ b/ui/vnc-clipboard.c
> @@ -69,6 +69,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t
> in_len, uint32_t *size)
> }
> }
>
> + *size = stream.total_out;
> + inflateEnd(&stream);
> +
> + return out;
> +
> err_end:
> inflateEnd(&stream);
> err:
> --
> 2.39.2
>
>
>
--
Marc-André Lureau
