Incorrect calculation of the boundary condition when tracking lossy rectangles in the worker thread will result in an OOB write which can corrupt further worker state, and/or trigger any guard pages that may lie beyond the VncWorker struct. This can be triggered through careful choice of the display resolution in the guest OS by an unprivileged user.
Fixes: CVE-2026-48002 Reported-by: Marc-André Lureau <[email protected]> Reviewed-by: Marc-André Lureau <[email protected]> Signed-off-by: Daniel P. Berrangé <[email protected]> --- ui/vnc.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ui/vnc.c b/ui/vnc.c index 56dd43d53f..ee567700a5 100644 --- a/ui/vnc.c +++ b/ui/vnc.c @@ -2982,13 +2982,13 @@ void vnc_sent_lossy_rect(VncWorker *worker, int x, int y, int w, int h) { int i, j; - w = (x + w) / VNC_STAT_RECT; - h = (y + h) / VNC_STAT_RECT; + w = DIV_ROUND_UP((x + w), VNC_STAT_RECT); + h = DIV_ROUND_UP((y + h), VNC_STAT_RECT); x /= VNC_STAT_RECT; y /= VNC_STAT_RECT; - for (j = y; j <= h; j++) { - for (i = x; i <= w; i++) { + for (j = y; j < h; j++) { + for (i = x; i < w; i++) { worker->lossy_rect[j][i] = 1; } } -- 2.54.0
