gtk: avoid oob array access

When too many consoles are created, vcs[] may be write out-of-bounds.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20161207105511.25173-1-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

diff --git a/ui/gtk.c b/ui/gtk.c
index 356f400af5f8dce3426a2e83bb596e0cf70be5f7..86368e38b7ce7298ba1eafc4b38fa281969c3e89 100644 (file)
--- a/ui/gtk.c
+++ b/ui/gtk.c
@@ -1706,6 +1706,11 @@ static CharDriverState *gd_vc_handler(ChardevVC *vc, Error **errp)
     ChardevCommon *common = qapi_ChardevVC_base(vc);
     CharDriverState *chr;
 
+    if (nb_vcs == MAX_VCS) {
+        error_setg(errp, "Maximum number of consoles reached");
+        return NULL;
+    }
+
     chr = qemu_chr_alloc(common, errp);
     if (!chr) {
         return NULL;