Patchwork vnc: tight: Fix crash after 2GB of output

login
register
mail settings
Submitter Roland Dreier
Date March 4, 2011, 12:57 a.m.
Message ID <1299200265-32685-1-git-send-email-roland@kernel.org>
Download mbox | patch
Permalink /patch/85359/
State New
Headers show

Comments

Roland Dreier - March 4, 2011, 12:57 a.m.
From: Roland Dreier <roland@purestorage.com>

If one leaves a VNC session with tight compression running for long
enough, Qemu crashes.  This is because of the computation

    bytes = zstream->total_out - previous_out;

in tight_compress_data, where zstream->total_out is a uLong but
previous_out is an int.  As soon as zstream->total_out gets past
INT_MAX (ie 2GB), previous_out becomes negative and therefore the
result of the subtraction, bytes, becomes a huge positive number that
causes havoc for obvious reasons when passed as a length to
vnc_write().

The fix for this is simple: keep previous_out as a uLong too, which
avoids any problems with sign conversion or truncation.

Signed-off-by: Roland Dreier <roland@purestorage.com>
---
 ui/vnc-enc-tight.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

Patch

diff --git a/ui/vnc-enc-tight.c b/ui/vnc-enc-tight.c
index af45edd..59ec0e3 100644
--- a/ui/vnc-enc-tight.c
+++ b/ui/vnc-enc-tight.c
@@ -829,7 +829,7 @@  static int tight_compress_data(VncState *vs, int stream_id, size_t bytes,
                                int level, int strategy)
 {
     z_streamp zstream = &vs->tight.stream[stream_id];
-    int previous_out;
+    uLong previous_out;
 
     if (bytes < VNC_TIGHT_MIN_TO_COMPRESS) {
         vnc_write(vs, vs->tight.tight.buffer, vs->tight.tight.offset);