[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH for-8.2] ui/vnc-clipboard: fix inflate_buffer
|
From: |
Marc-André Lureau |
|
Subject: |
Re: [PATCH for-8.2] ui/vnc-clipboard: fix inflate_buffer |
|
Date: |
Thu, 23 Nov 2023 10:52:16 +0400 |
Hi
On Wed, Nov 22, 2023 at 5:25 PM Fiona Ebner <f.ebner@proxmox.com> wrote:
>
> Am 22.11.23 um 14:06 schrieb Marc-André Lureau:
> > Hi
> >
> > On Wed, Nov 22, 2023 at 5:00 PM Fiona Ebner <f.ebner@proxmox.com> wrote:
> >>
> >> Commit d921fea338 ("ui/vnc-clipboard: fix infinite loop in
> >> inflate_buffer (CVE-2023-3255)") removed this hunk, but it is still
> >> required, because it can happen that stream.avail_in becomes zero
> >> before coming across a return value of Z_STREAM_END in the loop.
> >
> > Isn't this an error from the client side then?
> >
>
> In my test just now I get Z_BUF_ERROR twice and after the second one,
> stream.avail_in is zero. Maybe if you'd call inflate() again, you'd get
> Z_STREAM_END, but no such call is made, because we exit the loop.
It should exit the loop after calling inflate() again though.
Or do you mean that it goes to Z_BUF_ERROR a second time with
stream.avail_in == 0, thus exit the loop quickly after ?
That could mean that the input buffer is not complete.
"Note that Z_BUF_ERROR is not fatal, and inflate() can be called again
with more input..."
Something is fishy.. Is it easy to reproduce?
> Would it be better/more correct to ensure that inflate is called again
> in such a scenario?
>
> Best Regards,
> Fiona
>
--
Marc-André Lureau