# HG changeset patch
# User Steven Smith <ssmith@xensource.com>
# Node ID ca3abb3804f4400b24037a4366cb2ca5e51ed742
# Parent  7fca81d456b2cb40d4effe2492f7ed1aafd32f52
[HVM][VNC] Make sure that qemu doesn't go into an infinite loop when
it receives certain invalid requests from the viewer.

Signed-off-by: Steven Smith <sos22@cam.ac.uk>

Index: ioemu/vnc.c
===================================================================
--- ioemu.orig/vnc.c	2006-12-06 23:46:11.000000000 +0000
+++ ioemu/vnc.c	2006-12-06 23:46:11.000000000 +0000
@@ -26,6 +26,7 @@
 
 #include "vl.h"
 #include "qemu_socket.h"
+#include <assert.h>
 
 #define VNC_REFRESH_INTERVAL (1000 / 30)
 
@@ -679,8 +680,10 @@
 	    memmove(vs->input.buffer, vs->input.buffer + len,
 		    vs->input.offset - len);
 	    vs->input.offset -= len;
-	} else
+	} else {
+	    assert(ret > vs->read_handler_expect);
 	    vs->read_handler_expect = ret;
+	}
     }
 }
 
@@ -963,8 +966,12 @@
 	if (len == 1)
 	    return 4;
 
-	if (len == 4)
-	    return 4 + (read_u16(data, 2) * 4);
+	if (len == 4) {
+	    uint16_t v;
+	    v = read_u16(data, 2);
+	    if (v)
+		return 4 + v * 4;
+	}
 
 	limit = read_u16(data, 2);
 	for (i = 0; i < limit; i++) {
@@ -998,8 +1005,12 @@
 	if (len == 1)
 	    return 8;
 
-	if (len == 8)
-	    return 8 + read_u32(data, 4);
+	if (len == 8) {
+	    uint32_t v;
+	    v = read_u32(data, 4);
+	    if (v)
+		return 8 + v;
+	}
 
 	client_cut_text(vs, read_u32(data, 4), data + 8);
 	break;
