When too many consoles are created, vcs[] may be write out-of-bounds.
Signed-off-by: Marc-André Lureau <[email protected]>
---
ui/gtk.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/ui/gtk.c b/ui/gtk.c
index e81642876a..67c52179ee 100644
--- a/ui/gtk.c
+++ b/ui/gtk.c
@@ -1696,6 +1696,11 @@ static CharDriverState *gd_vc_handler(ChardevVC *vc,
Error **errp)
ChardevCommon *common = qapi_ChardevVC_base(vc);
CharDriverState *chr;
+ if (nb_vcs == MAX_VCS) {
+ error_setg(errp, "Maximum number of consoles reached");
+ return NULL;
+ }
+
chr = qemu_chr_alloc(common, errp);
if (!chr) {
return NULL;
--
2.11.0
