Details
-
Bug
-
Resolution: Unresolved
-
P4: Low
-
None
-
5.12.10, 6.0.2
-
None
Description
qtbase/src/plugins/platforms/vnc/qvncclient.cpp:
void QVncClient::clientCutText() { // ... // implicit uint32 to int32 conversion m_cutTextPending = ev.length; // ... // If the client sets ev.length to UINT_MAX - 1 then this condition is always true because m_cutTextPending == -2 if (m_cutTextPending && m_clientSocket->bytesAvailable() >= m_cutTextPending) { // negative allocation char *text = new char [m_cutTextPending+1]; // ... }
m_cutTextPending is client provided and allows the client to force an allocation of negative size (std::bad_alloc exception).