From e481cc001d138a5247287c05624933a392568de4 Mon Sep 17 00:00:00 2001
From: Tim Deegan <Tim.Deegan@xensource.com>
Date: Wed, 25 Oct 2006 11:39:57 +0100
Subject: [PATCH] [HVM] Avoid buffer overrun in qemu-dm The array offset in
 set_bits_in_row here comes from an otherwise un-checked VNC client request.
 Signed-off-by: Tim Deegan <Tim.Deegan@xensource.com>

---
 tools/ioemu/vnc.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tools/ioemu/vnc.c b/tools/ioemu/vnc.c
index 9b8bcffa37..631754ca03 100644
--- a/tools/ioemu/vnc.c
+++ b/tools/ioemu/vnc.c
@@ -203,6 +203,8 @@ static void set_bits_in_row(VncState *vs, uint64_t *row,
 	mask = ~(0ULL);
 
     h += y;
+    if (h > vs->ds->height)
+        h = vs->ds->height;
     for (; y < h; y++)
 	row[y] |= mask;
 }
-- 
2.30.2