[HVM] Avoid buffer overrun in qemu-dm

The array offset in set_bits_in_row here comes from an otherwise un-checked
VNC client request.
Signed-off-by: Tim Deegan <Tim.Deegan@xensource.com>

diff --git a/tools/ioemu/vnc.c b/tools/ioemu/vnc.c
index 9b8bcffa37995c2e817ddfb7c7a5840b3445227e..631754ca0344f00477d0acffb3aef38ab3ec3e2e 100644 (file)
--- a/tools/ioemu/vnc.c
+++ b/tools/ioemu/vnc.c
@@ -203,6 +203,8 @@ static void set_bits_in_row(VncState *vs, uint64_t *row,
        mask = ~(0ULL);
 
     h += y;
+    if (h > vs->ds->height)
+        h = vs->ds->height;
     for (; y < h; y++)
        row[y] |= mask;
 }