On Wed, May 26, 2021 at 10:12:48AM +0100, Stefan Hajnoczi wrote: > If the size of a VD_AGENT_CLIPBOARD_GRAB message is invalid we leak info > when returning early. > > Thanks to Coverity for spotting this: > > *** CID 1453266: Resource leaks (RESOURCE_LEAK) > /qemu/ui/vdagent.c: 465 in vdagent_chr_recv_clipboard() > 459 info = qemu_clipboard_info_new(&vd->cbpeer, s); > 460 if (size > sizeof(uint32_t) * 10) { > 461 /* > 462 * spice has 6 types as of 2021. Limiting to 10 entries > 463 * so we we have some wiggle room. > 464 */ > >>> CID 1453266: Resource leaks (RESOURCE_LEAK) > >>> Variable "info" going out of scope leaks the storage it points to. > 465 return; > 466 } > 467 while (size >= sizeof(uint32_t)) { > 468 trace_vdagent_cb_grab_type(GET_NAME(type_name, *(uint32_t > *)data)); > 469 switch (*(uint32_t *)data) { > 470 case VD_AGENT_CLIPBOARD_UTF8_TEXT: > > Fixes: f0349f4d8947ad32d0fa4678cbf5dbb356fcbda1 ("ui/vdagent: add clipboard > support") > Cc: Gerd Hoffmann <kra...@redhat.com> > Signed-off-by: Stefan Hajnoczi <stefa...@redhat.com>
Reviewed-by: Gerd Hoffmann <kra...@redhat.com>