From: Heechan Kang <[email protected]>
QEMU's VNC extended clipboard handler inflates a client-controlled
compressed clipboard payload. The code checks the declared text size
against the total inflated buffer size:
if (tsize < size)
but then copies from:
tbuf = buf + 4;
qemu_clipboard_set_data(..., tsize, tbuf, true);
The correct bound is the remaining data length after the 4-byte length
field, not the total inflated buffer length.
As a result, a VNC client can make QEMU copy up to 3 bytes past the end
of the inflated heap buffer. With a second VNC client, those copied
bytes are observable through the normal VNC extended clipboard PROVIDE
path.
Fixes: CVE-2026-8343
Reported-by: Heechan Kang <[email protected]>
Reported-by: Feifan Qian <[email protected]>
Reviewed-by: Daniel P. Berrangé <[email protected]>
Signed-off-by: Heechan Kang <[email protected]>
[DB: added #include and 'return' statements]
Signed-off-by: Daniel P. Berrangé <[email protected]>
Reviewed-by: Marc-André Lureau <[email protected]>
Message-ID: <[email protected]>
---
ui/vnc-clipboard.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c
index 124b6fbd9c2..fa05d86f424 100644
--- a/ui/vnc-clipboard.c
+++ b/ui/vnc-clipboard.c
@@ -23,6 +23,7 @@
*/
#include "qemu/osdep.h"
+#include "qemu/error-report.h"
#include "vnc.h"
#include "vnc-jobs.h"
@@ -282,10 +283,16 @@ void vnc_client_cut_text_ext(VncState *vs, int32_t len,
uint32_t flags, uint8_t
buf && size >= 4) {
uint32_t tsize = read_u32(buf, 0);
uint8_t *tbuf = buf + 4;
- if (tsize < size) {
+ if (tsize <= size - 4) {
qemu_clipboard_set_data(&vs->cbpeer, vs->cbinfo,
QEMU_CLIPBOARD_TYPE_TEXT,
tsize, tbuf, true);
+ } else {
+ error_report("vnc: malformed extended clipboard payload "
+ "with text length %u exceeding available %u",
+ tsize, size - 4);
+ vnc_client_error(vs);
+ return;
}
}
}
--
2.54.0
