On 21/5/26 12:33, Daniel P. Berrangé wrote:
Incorrect calculation of the boundary condition when tracking lossy
rectangles in the worker thread will result in an OOB write which
can corrupt further worker state, and/or trigger any guard pages
that may lie beyond the VncWorker struct. This can be triggered
through careful choice of the display resolution in the guest
OS by an unprivileged user.
Fixes: CVE-2026-48002
Reported-by: Marc-André Lureau <[email protected]>
Reviewed-by: Marc-André Lureau <[email protected]>
Signed-off-by: Daniel P. Berrangé <[email protected]>
---
ui/vnc.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/ui/vnc.c b/ui/vnc.c
index 56dd43d53f..ee567700a5 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -2982,13 +2982,13 @@ void vnc_sent_lossy_rect(VncWorker *worker, int x, int
y, int w, int h)
{
int i, j;
- w = (x + w) / VNC_STAT_RECT;
- h = (y + h) / VNC_STAT_RECT;
+ w = DIV_ROUND_UP((x + w), VNC_STAT_RECT);
+ h = DIV_ROUND_UP((y + h), VNC_STAT_RECT);
assert(h < VNC_STAT_ROWS);
assert(w < VNC_STAT_COLS);
x /= VNC_STAT_RECT;
y /= VNC_STAT_RECT;
- for (j = y; j <= h; j++) {
- for (i = x; i <= w; i++) {
+ for (j = y; j < h; j++) {
+ for (i = x; i < w; i++) {
worker->lossy_rect[j][i] = 1;
}
}
