Details
-
Type:
Bug
-
Status: Reported
-
Priority:
P4: Low
-
Resolution: Unresolved
-
Affects Version/s: 5.12.10, 6.0.2
-
Fix Version/s: None
-
Component/s: QPA
-
Labels:None
Description
qtbase/src/plugins/platforms/vnc/qvncclient.cpp:
void QVncClient::clientCutText() { // ... // implicit uint32 to int32 conversion m_cutTextPending = ev.length; // ... // If the client sets ev.length to UINT_MAX - 1 then this condition is always true because m_cutTextPending == -2 if (m_cutTextPending && m_clientSocket->bytesAvailable() >= m_cutTextPending) { // negative allocation char *text = new char [m_cutTextPending+1]; // ... }
m_cutTextPending is client provided and allows the client to force an allocation of negative size (std::bad_alloc exception).