Hi
On Thu, May 21, 2026 at 3:22 PM Philippe Mathieu-Daudé
<[email protected]> wrote:
>
> On 21/5/26 12:33, Daniel P. Berrangé wrote:
> > Incorrect calculation of the boundary condition when tracking lossy
> > rectangles in the worker thread will result in an OOB write which
> > can corrupt further worker state, and/or trigger any guard pages
> > that may lie beyond the VncWorker struct. This can be triggered
> > through careful choice of the display resolution in the guest
> > OS by an unprivileged user.
> >
> > Fixes: CVE-2026-48002
> > Reported-by: Marc-André Lureau <[email protected]>
> > Reviewed-by: Marc-André Lureau <[email protected]>
> > Signed-off-by: Daniel P. Berrangé <[email protected]>
> > ---
> > ui/vnc.c | 8 ++++----
> > 1 file changed, 4 insertions(+), 4 deletions(-)
> >
> > diff --git a/ui/vnc.c b/ui/vnc.c
> > index 56dd43d53f..ee567700a5 100644
> > --- a/ui/vnc.c
> > +++ b/ui/vnc.c
> > @@ -2982,13 +2982,13 @@ void vnc_sent_lossy_rect(VncWorker *worker, int x,
> > int y, int w, int h)
> > {
> > int i, j;
> >
> > - w = (x + w) / VNC_STAT_RECT;
> > - h = (y + h) / VNC_STAT_RECT;
> > + w = DIV_ROUND_UP((x + w), VNC_STAT_RECT);
> > + h = DIV_ROUND_UP((y + h), VNC_STAT_RECT);
>
> assert(h < VNC_STAT_ROWS);
> assert(w < VNC_STAT_COLS);
>
with <=, yes, I can add this while taking.
> > x /= VNC_STAT_RECT;
> > y /= VNC_STAT_RECT;
> >
> > - for (j = y; j <= h; j++) {
> > - for (i = x; i <= w; i++) {
> > + for (j = y; j < h; j++) {
> > + for (i = x; i < w; i++) {
> > worker->lossy_rect[j][i] = 1;
> > }
> > }
>
>
