GNOME.org
 

[gtk-vnc] Make decoding of audio extension more robust

commit 06c3f9a1d6a14f3ff06b38214b1b0e5d41ae8eb5
Author: Daniel P. Berrange <berrange redhat com>
Date:   Fri Dec 9 16:11:21 2011 +0000

    Make decoding of audio extension more robust
    
    Add checks for unknown QEMU messages and crazy sized audio
    data packets

 src/vncconnection.c |   45 ++++++++++++++++++++++++++++++++-------------
 1 files changed, 32 insertions(+), 13 deletions(-)
---
diff --git a/src/vncconnection.c b/src/vncconnection.c
index ca686ec..3791356 100644
--- a/src/vncconnection.c
+++ b/src/vncconnection.c
@@ -2990,26 +2990,45 @@ static gboolean vnc_connection_server_message(VncConnection *conn)
 	}	break;
 	case 255: { /* QEMU Messages */
 		guint8  n_type;
-		guint16 n_subtype;
-		guint32 n_length;
-		char *data;
 
-		vnc_connection_read(conn, &n_type, 1);
-		n_subtype = vnc_connection_read_u16(conn);
-		if (n_type==1) /* QEMU audio */
-		{
-			switch (n_subtype)
-			{
-			case 2: 
-				n_length = vnc_connection_read_u32(conn); 
-				data = g_new(char, n_length); 
-				vnc_connection_read(conn, data, n_length); 
+		n_type = vnc_connection_read_u8(conn);
+
+		if (priv->has_error)
+			break;
+
+		switch (n_type) {
+		case 1: { /* QEMU audio */
+			guint16 n_subtype;
+			guint32 n_length;
+			char *data;
+
+			n_subtype = vnc_connection_read_u16(conn);
+			switch (n_subtype) {
+			case 2:
+				n_length = vnc_connection_read_u32(conn);
+				if (n_length > (1024*1024)) {
+					VNC_DEBUG("Received audio message that is too large %u", n_length);
+					priv->has_error = TRUE;
+					break;
+				}
+				data = g_new(char, n_length);
+				vnc_connection_read(conn, data, n_length);
+				if (priv->has_error)
+					break;
 				vnc_audio_sink_data(conn, data, n_length);
 				g_free(data);
 				break;
 			case 1: vnc_audio_sink_begin(conn); break;
 			case 0: vnc_audio_sink_end(conn);  break;
+			default:
+				VNC_DEBUG("Received unknown QEMU audio message: %u", (int)n_subtype);
+				priv->has_error = TRUE;
+				break;
 			}
+		}       break;
+		default:
+			VNC_DEBUG("Received an unknown QEMU message: %u", n_type);
+			priv->has_error = TRUE;
 		}
 	} break;
 	default:
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]