Re: [PATCH] ui: fix validation of VNC extended clipboard data length

Tue, 12 May 2026 03:36:35 -0700 

On Tue, May 12, 2026 at 1:57 PM Daniel P. Berrangé <[email protected]> wrote:
>
> From: Heechan Kang <[email protected]>
>
> QEMU's VNC extended clipboard handler inflates a client-controlled
> compressed clipboard payload. The code checks the declared text size
> against the total inflated buffer size:
>
>     if (tsize < size)
>
> but then copies from:
>
>     tbuf = buf + 4;
>     qemu_clipboard_set_data(..., tsize, tbuf, true);
>
> The correct bound is the remaining data length after the 4-byte length
> field, not the total inflated buffer length.
>
> As a result, a VNC client can make QEMU copy up to 3 bytes past the end
> of the inflated heap buffer. With a second VNC client, those copied
> bytes are observable through the normal VNC extended clipboard PROVIDE
> path.
>
> Fixes: CVE-2026-8343
> Reported-by: Heechan Kang <[email protected]>
> Reported-by: Feifan Qian <[email protected]>
> Reviewed-by: Daniel P. Berrangé <[email protected]>
> Signed-off-by: Heechan Kang <[email protected]>
> [DB: added #include and 'return' statements]
> Signed-off-by: Daniel P. Berrangé <[email protected]>

Reviewed-by: Marc-André Lureau <[email protected]>

> ---
>  ui/vnc-clipboard.c | 9 ++++++++-
>  1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c
> index 124b6fbd9c..fa05d86f42 100644
> --- a/ui/vnc-clipboard.c
> +++ b/ui/vnc-clipboard.c
> @@ -23,6 +23,7 @@
>   */
>
>  #include "qemu/osdep.h"
> +#include "qemu/error-report.h"
>  #include "vnc.h"
>  #include "vnc-jobs.h"
>
> @@ -282,10 +283,16 @@ void vnc_client_cut_text_ext(VncState *vs, int32_t len, 
> uint32_t flags, uint8_t
>              buf && size >= 4) {
>              uint32_t tsize = read_u32(buf, 0);
>              uint8_t *tbuf = buf + 4;
> -            if (tsize < size) {
> +            if (tsize <= size - 4) {
>                  qemu_clipboard_set_data(&vs->cbpeer, vs->cbinfo,
>                                          QEMU_CLIPBOARD_TYPE_TEXT,
>                                          tsize, tbuf, true);
> +            } else {
> +                error_report("vnc: malformed extended clipboard payload "
> +                             "with text length %u exceeding available %u",
> +                             tsize, size - 4);
> +                vnc_client_error(vs);
> +                return;
>              }
>          }
>      }
> --
> 2.54.0
>
>

Reply via email to