From baa7666c74e7495c0982afe2a566aabcd4dbe1ac Mon Sep 17 00:00:00 2001
From: ths <ths@c046a42c-6fe2-441c-8c8c-71466251a162>
Date: Thu, 13 Sep 2007 12:41:42 +0000
Subject: [PATCH] Fix infinite loop in VNC support, by Marc Bevand.

git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@3169 c046a42c-6fe2-441c-8c8c-71466251a162
---
 vnc.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/vnc.c b/vnc.c
index 64906980c3..75e4fc9686 100644
--- a/vnc.c
+++ b/vnc.c
@@ -1195,8 +1195,11 @@ static int protocol_client_msg(VncState *vs, char *data, size_t len)
 	if (len == 1)
 	    return 8;
 
-	if (len == 8)
-	    return 8 + read_u32(data, 4);
+	if (len == 8) {
+            uint32_t dlen = read_u32(data, 4);
+            if (dlen > 0)
+                return 8 + dlen;
+        }
 
 	client_cut_text(vs, read_u32(data, 4), data + 8);
 	break;