vnc: tight: Fix crash after 2GB of output

Message ID
State New
Headers show

Commit Message

Roland Dreier March 4, 2011, 12:57 a.m.
From: Roland Dreier <>

If one leaves a VNC session with tight compression running for long
enough, Qemu crashes.  This is because of the computation

    bytes = zstream->total_out - previous_out;

in tight_compress_data, where zstream->total_out is a uLong but
previous_out is an int.  As soon as zstream->total_out gets past
INT_MAX (ie 2GB), previous_out becomes negative and therefore the
result of the subtraction, bytes, becomes a huge positive number that
causes havoc for obvious reasons when passed as a length to

The fix for this is simple: keep previous_out as a uLong too, which
avoids any problems with sign conversion or truncation.

Signed-off-by: Roland Dreier <>
 ui/vnc-enc-tight.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)


diff --git a/ui/vnc-enc-tight.c b/ui/vnc-enc-tight.c
index af45edd..59ec0e3 100644
--- a/ui/vnc-enc-tight.c
+++ b/ui/vnc-enc-tight.c
@@ -829,7 +829,7 @@  static int tight_compress_data(VncState *vs, int stream_id, size_t bytes,
                                int level, int strategy)
     z_streamp zstream = &vs->[stream_id];
-    int previous_out;
+    uLong previous_out;
     if (bytes < VNC_TIGHT_MIN_TO_COMPRESS) {
         vnc_write(vs, vs->tight.tight.buffer, vs->tight.tight.offset);