Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Unresolved
Priority: P4: Low
Fix Version/s: None
Affects Version/s: 5.12.10, 6.0.2
Component/s: QPA
Labels:
None

Description

qtbase/src/plugins/platforms/vnc/qvncclient.cpp:

void QVncClient::clientCutText()
{
    // ...
    // implicit uint32 to int32 conversion
    m_cutTextPending = ev.length;
    // ...
    // If the client sets ev.length to UINT_MAX - 1 then this condition is always true because m_cutTextPending == -2
    if (m_cutTextPending && m_clientSocket->bytesAvailable() >= m_cutTextPending) {
        // negative allocation
        char *text = new char [m_cutTextPending+1];
        // ...
    }

m_cutTextPending is client provided and allows the client to force an allocation of negative size (std::bad_alloc exception).

Attachments

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

People

Assignee:: Unassigned

Reporter:: Florian Freund

PM Owner:: Veli-Pekka Heinonen

Votes:: 1 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 13 Mar '21 20:21

Updated:: 05 Apr '22 11:19

Gerrit Reviews

There are no open Gerrit changes