QEMU's VNC extended clipboard handler inflates a client-controlled
compressed clipboard payload. The code checks the declared text size
against the total inflated buffer size:
if (tsize < size)
but then copies from:
tbuf = buf + 4;
qemu_clipboard_set_data(..., tsize, tbuf, true);
The correct bound is the remaining data length after the 4-byte length
field, not the total inflated buffer length.
As a result, a VNC client can make QEMU copy up to 3 bytes past the end
of the inflated heap buffer. With a second VNC client, those copied
bytes are observable through the normal VNC extended clipboard PROVIDE
path.
Fixes: CVE-2026-8343
Reported-by: Heechan Kang <gganji11@naver.com>
Reported-by: Feifan Qian <bea1e@proton.me>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Heechan Kang <gganji11@naver.com>
[DB: added #include and 'return' statements]
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-ID: <
20260512095543.459949-1-berrange@redhat.com>
*/
#include "qemu/osdep.h"
+#include "qemu/error-report.h"
#include "vnc.h"
#include "vnc-jobs.h"
buf && size >= 4) {
uint32_t tsize = read_u32(buf, 0);
uint8_t *tbuf = buf + 4;
- if (tsize < size) {
+ if (tsize <= size - 4) {
qemu_clipboard_set_data(&vs->cbpeer, vs->cbinfo,
QEMU_CLIPBOARD_TYPE_TEXT,
tsize, tbuf, true);
+ } else {
+ error_report("vnc: malformed extended clipboard payload "
+ "with text length %u exceeding available %u",
+ tsize, size - 4);
+ vnc_client_error(vs);
+ return;
}
}
}
projects / thirdparty / qemu.git / commitdiff
