This bug has been introduced somewhere after version 1.2 (wheezy).
The code in wheezy is not vulnerable to this issue, since it
contains explicit check for the length, before null-terminating
the key buffer:
static void do_sendkey(Monitor *mon, const QDict *qdict)
{
char keyname_buf[16];
char *separator;
int keyname_len, keycode, i;
const char *string = qdict_get_str(qdict, "string");
int has_hold_time = qdict_haskey(qdict, "hold_time");
int hold_time = qdict_get_try_int(qdict, "hold_time", -1);
if (nb_pending_keycodes > 0) {
qemu_del_timer(key_timer);
release_keys(NULL);
}
i = 0;
while (1) {
separator = strchr(string, '-');
keyname_len = separator ? separator - string : strlen(string);
if (keyname_len > 0) {
pstrcpy(keyname_buf, sizeof(keyname_buf), string);
if (keyname_len > sizeof(keyname_buf) - 1) { <<<<======
here
monitor_printf(mon, "invalid key: '%s...'\n", keyname_buf);
return;
}
if (i == MAX_KEYCODES) {
monitor_printf(mon, "too many keys\n");
return;
}
keyname_buf[keyname_len] = 0; <<<<====
termination
keycode = get_keycode(keyname_buf);
if (keycode < 0) {
monitor_printf(mon, "unknown key: '%s'\n", keyname_buf);
return;
}
keycodes[i++] = keycode;
}
if (!separator)
break;
string = separator + 1;
}