From bfc532703f3c4f8d2744748c440ca36ce9798ccb Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Thu, 30 Mar 2023 14:23:40 +0200 Subject: [PATCH] vnc: avoid underflow when accessing user-provided address If hostlen is zero, there is a possibility that addrstr[hostlen - 1] underflows and, if a closing bracked is there, hostlen - 2 is passed to g_strndup() on the next line. If websocket==false then addrstr[0] would be a colon, but if websocket==true this could in principle happen. Fix it by checking hostlen. Reported by Coverity. Signed-off-by: Paolo Bonzini (cherry picked from commit 3f9c41c5df9617510d8533cf6588172efb3df34b) Signed-off-by: Michael Tokarev --- ui/vnc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ui/vnc.c b/ui/vnc.c index 88f55cbf3c..1856d57380 100644 --- a/ui/vnc.c +++ b/ui/vnc.c @@ -3765,7 +3765,7 @@ static int vnc_display_get_address(const char *addrstr, addr->type = SOCKET_ADDRESS_TYPE_INET; inet = &addr->u.inet; - if (addrstr[0] == '[' && addrstr[hostlen - 1] == ']') { + if (hostlen && addrstr[0] == '[' && addrstr[hostlen - 1] == ']') { inet->host = g_strndup(addrstr + 1, hostlen - 2); } else { inet->host = g_strndup(addrstr, hostlen);