From: Marc-André Lureau <marcandre.lureau@redhat.com>
Date: Wed, 7 Dec 2016 10:55:11 +0000 (+0300)
Subject: gtk: avoid oob array access
X-Git-Tag: v2.9.0-rc2~212^2~3
X-Git-Url: https://git.proxmox.com/?a=commitdiff_plain;h=c952b71582e2e4be286087ad34de5e3ec1b8d974;p=mirror_qemu.git

gtk: avoid oob array access

When too many consoles are created, vcs[] may be write out-of-bounds.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20161207105511.25173-1-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---

diff --git a/ui/gtk.c b/ui/gtk.c
index 356f400af5..86368e38b7 100644
--- a/ui/gtk.c
+++ b/ui/gtk.c
@@ -1706,6 +1706,11 @@ static CharDriverState *gd_vc_handler(ChardevVC *vc, Error **errp)
     ChardevCommon *common = qapi_ChardevVC_base(vc);
     CharDriverState *chr;
 
+    if (nb_vcs == MAX_VCS) {
+        error_setg(errp, "Maximum number of consoles reached");
+        return NULL;
+    }
+
     chr = qemu_chr_alloc(common, errp);
     if (!chr) {
         return NULL;