Incorrect loop bounds in vnc_update_freq result in iterating past the last row and past the last column in the VNC stats array. With suitably chosen dimensions this could be a OOB read that accesses memory beyond the VncDisplay struct that the stats array is embedded in.
Should this hit a guard page, it could trigger a guest crash. If it does not, then the VNC frequency stats will be updated with garbage. Fixes: CVE-2026-48003 Reported-by: boy juju <[email protected]> Reviewed-by: Marc-André Lureau <[email protected]> Signed-off-by: Daniel P. Berrangé <[email protected]> --- ui/vnc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/ui/vnc.c b/ui/vnc.c index ee567700a5..03716d7fe9 100644 --- a/ui/vnc.c +++ b/ui/vnc.c @@ -3091,12 +3091,14 @@ double vnc_update_freq(VncState *vs, int x, int y, int w, int h) int i, j; double total = 0; int num = 0; + int x_end = x + w; + int y_end = y + h; x = QEMU_ALIGN_DOWN(x, VNC_STAT_RECT); y = QEMU_ALIGN_DOWN(y, VNC_STAT_RECT); - for (j = y; j <= y + h; j += VNC_STAT_RECT) { - for (i = x; i <= x + w; i += VNC_STAT_RECT) { + for (j = y; j < y_end; j += VNC_STAT_RECT) { + for (i = x; i < x_end; i += VNC_STAT_RECT) { total += vnc_stat_rect(vs->vd, i, j)->freq; num++; } -- 2.54.0
