On Sun, Sep 25, 2022 at 10:45:11PM +0200, Mauro Matteo Cascella wrote: > Extended ClientCutText messages start with a 4-byte header. If len < 4, > an integer underflow occurs in vnc_client_cut_text_ext. The result is > used to decompress data in a while loop in inflate_buffer, leading to > CPU consumption and denial of service. Prevent this by checking dlen in > protocol_client_msg. > > Fixes: CVE-2022-3165 > Fixes: 0bf41cab93e5 ("ui/vnc: clipboard support") > Reported-by: TangPeng <tangp...@qianxin.com> > Signed-off-by: Mauro Matteo Cascella <mcasc...@redhat.com>
Added to queue. thanks, Gerd