The `vnc_client_cut_text_ext` function in ui/vnc-clipboard.c calls `inflate_buffer` with an attacker controlled buffer (size, data). There is a wrong exit condition in `inflate_buffer` which can trigger an infinite loop. A remote authenticated client who is able to send a clipboard to the QEMU built-in VNC server can trigger this flaw and cause a denial of service.
Proposed patch: https://lists.nongnu.org/archive/html/qemu-devel/2023-07/msg00596.html
Created qemu tracking bugs for this issue: Affects: fedora-all [bug 2219543]
Upstream commit: https://gitlab.com/qemu-project/qemu/-/commit/d921fea3
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2135 https://access.redhat.com/errata/RHSA-2024:2135
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:2962 https://access.redhat.com/errata/RHSA-2024:2962