diff --git a/SOURCES/kvm-dhcpv6-use-slirp_fmt.patch b/SOURCES/kvm-dhcpv6-use-slirp_fmt.patch
new file mode 100644
index 0000000..51b2a60
--- /dev/null
+++ b/SOURCES/kvm-dhcpv6-use-slirp_fmt.patch
@@ -0,0 +1,60 @@
+From 07007a43513817859d0c0b50c21a96221aa101e4 Mon Sep 17 00:00:00 2001
+From: jmaloy <jmaloy@redhat.com>
+Date: Thu, 14 May 2020 21:13:10 +0100
+Subject: [PATCH 2/6] dhcpv6: use slirp_fmt()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: jmaloy <jmaloy@redhat.com>
+Message-id: <20200514211314.1534001-3-jmaloy@redhat.com>
+Patchwork-id: 96586
+O-Subject: [RHEL-8.2.0 qemu-kvm PATCH v2 2/6] dhcpv6: use slirp_fmt()
+Bugzilla: 1834477
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+
+From: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+Warn if result is truncated, return bytes actually written (excluding \0).
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Message-Id: <20200127092414.169796-3-marcandre.lureau@redhat.com>
+
+(cherry picked from libslirp commit f207a7cee35a584d8ecd4b852cb238fb5d743c85)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ slirp/dhcpv6.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/slirp/dhcpv6.c b/slirp/dhcpv6.c
+index d266611..1ee6176 100644
+--- a/slirp/dhcpv6.c
++++ b/slirp/dhcpv6.c
+@@ -162,13 +162,12 @@ static void dhcpv6_info_request(Slirp *slirp, struct sockaddr_in6 *srcsas,
+ *resp++ = OPTION_BOOTFILE_URL >> 8; /* option-code high byte */
+ *resp++ = OPTION_BOOTFILE_URL; /* option-code low byte */
+ smaxlen = (uint8_t *)m->m_data + IF_MTU - (resp + 2);
+- slen = snprintf((char *)resp + 2, smaxlen,
+- "tftp://[%02x%02x:%02x%02x:%02x%02x:%02x%02x:"
+- "%02x%02x:%02x%02x:%02x%02x:%02x%02x]/%s",
+- sa[0], sa[1], sa[2], sa[3], sa[4], sa[5], sa[6], sa[7],
+- sa[8], sa[9], sa[10], sa[11], sa[12], sa[13], sa[14],
+- sa[15], slirp->bootp_filename);
+- slen = MIN(slen, smaxlen);
++ slen = slirp_fmt((char *)resp + 2, smaxlen,
++ "tftp://[%02x%02x:%02x%02x:%02x%02x:%02x%02x:"
++ "%02x%02x:%02x%02x:%02x%02x:%02x%02x]/%s",
++ sa[0], sa[1], sa[2], sa[3], sa[4], sa[5], sa[6], sa[7],
++ sa[8], sa[9], sa[10], sa[11], sa[12], sa[13], sa[14],
++ sa[15], slirp->bootp_filename);
+ *resp++ = slen >> 8; /* option-len high byte */
+ *resp++ = slen; /* option-len low byte */
+ resp += slen;
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-misc-use-slirp_fmt0.patch b/SOURCES/kvm-misc-use-slirp_fmt0.patch
new file mode 100644
index 0000000..8c772e8
--- /dev/null
+++ b/SOURCES/kvm-misc-use-slirp_fmt0.patch
@@ -0,0 +1,79 @@
+From d031facefbadc6c3f1ddb185c8e965cce68914e8 Mon Sep 17 00:00:00 2001
+From: jmaloy <jmaloy@redhat.com>
+Date: Thu, 14 May 2020 21:13:11 +0100
+Subject: [PATCH 3/6] misc: use slirp_fmt0()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: jmaloy <jmaloy@redhat.com>
+Message-id: <20200514211314.1534001-4-jmaloy@redhat.com>
+Patchwork-id: 96587
+O-Subject: [RHEL-8.2.0 qemu-kvm PATCH v2 3/6] misc: use slirp_fmt0()
+Bugzilla: 1834477
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+
+From: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+Those are safe and should never fail. Nevertheless, use
+slirp_snfillf0() for more safety.
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Message-Id: <20200127092414.169796-4-marcandre.lureau@redhat.com>
+
+(cherry picked from libslirp commit 2af8a28a7ef0acde6f7525b346a3701d1cb54cd8)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ slirp/misc.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/slirp/misc.c b/slirp/misc.c
+index 035b9ab..e256dbe 100644
+--- a/slirp/misc.c
++++ b/slirp/misc.c
+@@ -250,7 +250,7 @@ void slirp_connection_info(Slirp *slirp, Monitor *mon)
+ dst_addr = so->so_faddr;
+ dst_port = so->so_fport;
+ }
+- snprintf(buf, sizeof(buf), " TCP[%s]", state);
++ slirp_fmt0(buf, sizeof(buf), " TCP[%s]", state);
+ monitor_printf(mon, "%-19s %3d %15s %5d ", buf, so->s,
+ src.sin_addr.s_addr ? inet_ntoa(src.sin_addr) : "*",
+ ntohs(src.sin_port));
+@@ -261,14 +261,14 @@ void slirp_connection_info(Slirp *slirp, Monitor *mon)
+
+ for (so = slirp->udb.so_next; so != &slirp->udb; so = so->so_next) {
+ if (so->so_state & SS_HOSTFWD) {
+- snprintf(buf, sizeof(buf), " UDP[HOST_FORWARD]");
++ slirp_fmt0(buf, sizeof(buf), " UDP[HOST_FORWARD]");
+ src_len = sizeof(src);
+ getsockname(so->s, (struct sockaddr *)&src, &src_len);
+ dst_addr = so->so_laddr;
+ dst_port = so->so_lport;
+ } else {
+- snprintf(buf, sizeof(buf), " UDP[%d sec]",
+- (so->so_expire - curtime) / 1000);
++ slirp_fmt0(buf, sizeof(buf), " UDP[%d sec]",
++ (so->so_expire - curtime) / 1000);
+ src.sin_addr = so->so_laddr;
+ src.sin_port = so->so_lport;
+ dst_addr = so->so_faddr;
+@@ -283,8 +283,8 @@ void slirp_connection_info(Slirp *slirp, Monitor *mon)
+ }
+
+ for (so = slirp->icmp.so_next; so != &slirp->icmp; so = so->so_next) {
+- snprintf(buf, sizeof(buf), " ICMP[%d sec]",
+- (so->so_expire - curtime) / 1000);
++ slirp_fmt0(buf, sizeof(buf), " ICMP[%d sec]",
++ (so->so_expire - curtime) / 1000);
+ src.sin_addr = so->so_laddr;
+ dst_addr = so->so_faddr;
+ monitor_printf(mon, "%-19s %3d %15s - ", buf, so->s,
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-tcp_ctl-use-slirp_fmt.patch b/SOURCES/kvm-tcp_ctl-use-slirp_fmt.patch
new file mode 100644
index 0000000..e192a22
--- /dev/null
+++ b/SOURCES/kvm-tcp_ctl-use-slirp_fmt.patch
@@ -0,0 +1,53 @@
+From 11fc63b5c59a02cd8ce2f5021c4c4ee6bbe88b57 Mon Sep 17 00:00:00 2001
+From: jmaloy <jmaloy@redhat.com>
+Date: Thu, 14 May 2020 21:13:13 +0100
+Subject: [PATCH 5/6] tcp_ctl: use slirp_fmt()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: jmaloy <jmaloy@redhat.com>
+Message-id: <20200514211314.1534001-6-jmaloy@redhat.com>
+Patchwork-id: 96589
+O-Subject: [RHEL-8.2.0 qemu-kvm PATCH v2 5/6] tcp_ctl: use slirp_fmt()
+Bugzilla: 1834477
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+
+From: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+Make it safer to OOB (sb_cc must not go out of sb_data), warn on
+truncation, abort on error.
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Message-Id: <20200127092414.169796-6-marcandre.lureau@redhat.com>
+
+(cherry picked from libslirp commit c8ee10e29c668a30a8d10e8a16c570b1bbe32175)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ slirp/tcp_subr.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
+index ac14366..53aa58d 100644
+--- a/slirp/tcp_subr.c
++++ b/slirp/tcp_subr.c
+@@ -984,9 +984,8 @@ int tcp_ctl(struct socket *so)
+ }
+ }
+ }
+- sb->sb_cc =
+- snprintf(sb->sb_wptr, sb->sb_datalen - (sb->sb_wptr - sb->sb_data),
+- "Error: No application configured.\r\n");
++ sb->sb_cc = slirp_fmt(sb->sb_wptr, sb->sb_datalen - (sb->sb_wptr - sb->sb_data),
++ "Error: No application configured.\r\n");
+ sb->sb_wptr += sb->sb_cc;
+ return 0;
+ }
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-tcp_emu-fix-unsafe-snprintf-usages.patch b/SOURCES/kvm-tcp_emu-fix-unsafe-snprintf-usages.patch
new file mode 100644
index 0000000..e09eca2
--- /dev/null
+++ b/SOURCES/kvm-tcp_emu-fix-unsafe-snprintf-usages.patch
@@ -0,0 +1,152 @@
+From f66a28121435b4aaffb21cec51c3856ab627b751 Mon Sep 17 00:00:00 2001
+From: jmaloy <jmaloy@redhat.com>
+Date: Thu, 14 May 2020 21:13:14 +0100
+Subject: [PATCH 6/6] tcp_emu: fix unsafe snprintf() usages
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: jmaloy <jmaloy@redhat.com>
+Message-id: <20200514211314.1534001-7-jmaloy@redhat.com>
+Patchwork-id: 96590
+O-Subject: [RHEL-8.2.0 qemu-kvm PATCH v2 6/6] tcp_emu: fix unsafe snprintf() usages
+Bugzilla: 1834477
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+
+From: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+Various calls to snprintf() assume that snprintf() returns "only" the
+number of bytes written (excluding terminating NUL).
+
+https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04
+
+"Upon successful completion, the snprintf() function shall return the
+number of bytes that would be written to s had n been sufficiently
+large excluding the terminating null byte."
+
+Before patch ce131029, if there isn't enough room in "m_data" for the
+"DCC ..." message, we overflow "m_data".
+
+After the patch, if there isn't enough room for the same, we don't
+overflow "m_data", but we set "m_len" out-of-bounds. The next time an
+access is bounded by "m_len", we'll have a buffer overflow then.
+
+Use slirp_fmt*() to fix potential OOB memory access.
+
+Reported-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Message-Id: <20200127092414.169796-7-marcandre.lureau@redhat.com>
+
+(cherry picked from libslirp commit 68ccb8021a838066f0951d4b2817eb6b6f10a843)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ slirp/tcp_subr.c | 45 +++++++++++++++++++++------------------------
+ 1 file changed, 21 insertions(+), 24 deletions(-)
+
+diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
+index 53aa58d..32736bb 100644
+--- a/slirp/tcp_subr.c
++++ b/slirp/tcp_subr.c
+@@ -662,8 +662,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ NTOHS(n1);
+ NTOHS(n2);
+ m_inc(m, snprintf(NULL, 0, "%d,%d\r\n", n1, n2) + 1);
+- m->m_len = snprintf(m->m_data, M_ROOM(m), "%d,%d\r\n", n1, n2);
+- assert(m->m_len < M_ROOM(m));
++ m->m_len = slirp_fmt(m->m_data, M_ROOM(m), "%d,%d\r\n", n1, n2);
+ } else {
+ *eol = '\r';
+ }
+@@ -701,11 +700,10 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ n2 = ((laddr >> 16) & 0xff);
+ n3 = ((laddr >> 8) & 0xff);
+ n4 = (laddr & 0xff);
+-
+ m->m_len = bptr - m->m_data; /* Adjust length */
+- m->m_len += snprintf(bptr, M_FREEROOM(m),
+- "ORT %d,%d,%d,%d,%d,%d\r\n%s",
+- n1, n2, n3, n4, n5, n6, x==7?buff:"");
++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
++ "ORT %d,%d,%d,%d,%d,%d\r\n%s",
++ n1, n2, n3, n4, n5, n6, x == 7 ? buff : "");
+ return 1;
+ } else if ((bptr = (char *)strstr(m->m_data, "27 Entering")) != NULL) {
+ /*
+@@ -736,10 +734,9 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ n4 = (laddr & 0xff);
+
+ m->m_len = bptr - m->m_data; /* Adjust length */
+- m->m_len += snprintf(bptr, M_FREEROOM(m),
+- "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
+- n1, n2, n3, n4, n5, n6, x==7?buff:"");
+-
++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
++ "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
++ n1, n2, n3, n4, n5, n6, x == 7 ? buff : "");
+ return 1;
+ }
+
+@@ -762,8 +759,8 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ if (m->m_data[m->m_len-1] == '\0' && lport != 0 &&
+ (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr,
+ htons(lport), SS_FACCEPTONCE)) != NULL)
+- m->m_len = snprintf(m->m_data, M_ROOM(m),
+- "%d", ntohs(so->so_fport)) + 1;
++ m->m_len = slirp_fmt0(m->m_data, M_ROOM(m),
++ "%d", ntohs(so->so_fport));
+ return 1;
+
+ case EMU_IRC:
+@@ -783,10 +780,10 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ return 1;
+ }
+ m->m_len = bptr - m->m_data; /* Adjust length */
+- m->m_len += snprintf(bptr, M_FREEROOM(m),
+- "DCC CHAT chat %lu %u%c\n",
+- (unsigned long)ntohl(so->so_faddr.s_addr),
+- ntohs(so->so_fport), 1);
++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
++ "DCC CHAT chat %lu %u%c\n",
++ (unsigned long)ntohl(so->so_faddr.s_addr),
++ ntohs(so->so_fport), 1);
+ } else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport, &n1) == 4) {
+ if ((so = tcp_listen(slirp, INADDR_ANY, 0,
+ htonl(laddr), htons(lport),
+@@ -794,10 +791,10 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ return 1;
+ }
+ m->m_len = bptr - m->m_data; /* Adjust length */
+- m->m_len += snprintf(bptr, M_FREEROOM(m),
+- "DCC SEND %s %lu %u %u%c\n", buff,
+- (unsigned long)ntohl(so->so_faddr.s_addr),
+- ntohs(so->so_fport), n1, 1);
++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
++ "DCC SEND %s %lu %u %u%c\n", buff,
++ (unsigned long)ntohl(so->so_faddr.s_addr),
++ ntohs(so->so_fport), n1, 1);
+ } else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport, &n1) == 4) {
+ if ((so = tcp_listen(slirp, INADDR_ANY, 0,
+ htonl(laddr), htons(lport),
+@@ -805,10 +802,10 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ return 1;
+ }
+ m->m_len = bptr - m->m_data; /* Adjust length */
+- m->m_len += snprintf(bptr, M_FREEROOM(m),
+- "DCC MOVE %s %lu %u %u%c\n", buff,
+- (unsigned long)ntohl(so->so_faddr.s_addr),
+- ntohs(so->so_fport), n1, 1);
++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
++ "DCC MOVE %s %lu %u %u%c\n", buff,
++ (unsigned long)ntohl(so->so_faddr.s_addr),
++ ntohs(so->so_fport), n1, 1);
+ }
+ return 1;
+
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-tftp-use-slirp_fmt0.patch b/SOURCES/kvm-tftp-use-slirp_fmt0.patch
new file mode 100644
index 0000000..4b65c8d
--- /dev/null
+++ b/SOURCES/kvm-tftp-use-slirp_fmt0.patch
@@ -0,0 +1,53 @@
+From ab9c1c0d86b35fb159a6c173134e4ae816f130f3 Mon Sep 17 00:00:00 2001
+From: jmaloy <jmaloy@redhat.com>
+Date: Thu, 14 May 2020 21:13:12 +0100
+Subject: [PATCH 4/6] tftp: use slirp_fmt0()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: jmaloy <jmaloy@redhat.com>
+Message-id: <20200514211314.1534001-5-jmaloy@redhat.com>
+Patchwork-id: 96588
+O-Subject: [RHEL-8.2.0 qemu-kvm PATCH v2 4/6] tftp: use slirp_fmt0()
+Bugzilla: 1834477
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+
+From: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+Make it OOB-safe, warn on truncation, always \0-end, abort on error.
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Message-Id: <20200127092414.169796-5-marcandre.lureau@redhat.com>
+
+(cherry picked from libslirp commit 98968c4f94330b3e4fe48dc79a851eff5e8a5962)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ slirp/tftp.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/slirp/tftp.c b/slirp/tftp.c
+index a9bc4bb..c3a2ce6 100644
+--- a/slirp/tftp.c
++++ b/slirp/tftp.c
+@@ -184,10 +184,8 @@ static int tftp_send_oack(struct tftp_session *spt,
+
+ tp->tp_op = htons(TFTP_OACK);
+ for (i = 0; i < nb; i++) {
+- n += snprintf(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%s",
+- keys[i]) + 1;
+- n += snprintf(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%u",
+- values[i]) + 1;
++ n += slirp_fmt0(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%s", keys[i]);
++ n += slirp_fmt0(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%u", values[i]);
+ }
+
+ m->m_len = sizeof(struct tftp_t) - (TFTP_BLOCKSIZE_MAX + 2) + n
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-util-add-slirp_fmt-helpers.patch b/SOURCES/kvm-util-add-slirp_fmt-helpers.patch
new file mode 100644
index 0000000..23fc0e2
--- /dev/null
+++ b/SOURCES/kvm-util-add-slirp_fmt-helpers.patch
@@ -0,0 +1,143 @@
+From 2a4ee2d1702febccc0d81c1724eb61cb654ed72f Mon Sep 17 00:00:00 2001
+From: jmaloy <jmaloy@redhat.com>
+Date: Thu, 14 May 2020 21:13:09 +0100
+Subject: [PATCH 1/6] util: add slirp_fmt() helpers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: jmaloy <jmaloy@redhat.com>
+Message-id: <20200514211314.1534001-2-jmaloy@redhat.com>
+Patchwork-id: 96585
+O-Subject: [RHEL-8.2.0 qemu-kvm PATCH v2 1/6] util: add slirp_fmt() helpers
+Bugzilla: 1834477
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+
+From: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+Various calls to snprintf() in libslirp assume that snprintf() returns
+"only" the number of bytes written (excluding terminating NUL).
+
+https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04
+
+"Upon successful completion, the snprintf() function shall return the
+number of bytes that would be written to s had n been sufficiently
+large excluding the terminating null byte."
+
+Introduce slirp_fmt() that handles several pathological cases the
+way libslirp usually expect:
+
+- treat error as fatal (instead of silently returning -1)
+
+- fmt0() will always \0 end
+
+- return the number of bytes actually written (instead of what would
+ have been written, which would usually result in OOB later), including
+ the ending \0 for fmt0()
+
+- warn if truncation happened (instead of ignoring)
+
+ Other less common cases can still be handled with strcpy/snprintf() etc.
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Message-Id: <20200127092414.169796-2-marcandre.lureau@redhat.com>
+
+(cherry-picked from libslirp commit 30648c03b27fb8d9611b723184216cd3174b6775)
+Manual cherry pick, since there is no util.c file in this code version.
+Instead, we add the new functions to the file misc.c.
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ slirp/misc.c | 62 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ slirp/slirp.h | 2 ++
+ 2 files changed, 64 insertions(+)
+
+diff --git a/slirp/misc.c b/slirp/misc.c
+index 260187b..035b9ab 100644
+--- a/slirp/misc.c
++++ b/slirp/misc.c
+@@ -293,3 +293,65 @@ void slirp_connection_info(Slirp *slirp, Monitor *mon)
+ so->so_rcv.sb_cc, so->so_snd.sb_cc);
+ }
+ }
++
++static int slirp_vsnprintf(char *str, size_t size,
++ const char *format, va_list args)
++{
++ int rv = vsnprintf(str, size, format, args);
++
++ if (rv < 0) {
++ g_error("vsnprintf() failed: %s", g_strerror(errno));
++ }
++
++ return rv;
++}
++
++/*
++ * A snprintf()-like function that:
++ * - returns the number of bytes written (excluding optional \0-ending)
++ * - dies on error
++ * - warn on truncation
++ */
++int slirp_fmt(char *str, size_t size, const char *format, ...)
++{
++ va_list args;
++ int rv;
++
++ va_start(args, format);
++ rv = slirp_vsnprintf(str, size, format, args);
++ va_end(args);
++
++ if (rv > size) {
++ g_critical("vsnprintf() truncation");
++ }
++
++ return MIN(rv, size);
++}
++
++/*
++ * A snprintf()-like function that:
++ * - always \0-end (unless size == 0)
++ * - returns the number of bytes actually written, including \0 ending
++ * - dies on error
++ * - warn on truncation
++ */
++int slirp_fmt0(char *str, size_t size, const char *format, ...)
++{
++ va_list args;
++ int rv;
++
++ va_start(args, format);
++ rv = slirp_vsnprintf(str, size, format, args);
++ va_end(args);
++
++ if (rv >= size) {
++ g_critical("vsnprintf() truncation");
++ if (size > 0)
++ str[size - 1] = '\0';
++ rv = size;
++ } else {
++ rv += 1; /* include \0 */
++ }
++
++ return rv;
++}
+diff --git a/slirp/slirp.h b/slirp/slirp.h
+index 06febfc..49b8c2c 100644
+--- a/slirp/slirp.h
++++ b/slirp/slirp.h
+@@ -292,5 +292,7 @@ uint8_t tcp_tos(struct socket *);
+ int tcp_emu(struct socket *, struct mbuf *);
+ int tcp_ctl(struct socket *);
+ struct tcpcb *tcp_drop(struct tcpcb *tp, int err);
++int slirp_fmt(char *str, size_t size, const char *format, ...);
++int slirp_fmt0(char *str, size_t size, const char *format, ...);
+
+ #endif
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-vnc-add-magic-cookie-to-VncState.patch b/SOURCES/kvm-vnc-add-magic-cookie-to-VncState.patch
new file mode 100644
index 0000000..47635c1
--- /dev/null
+++ b/SOURCES/kvm-vnc-add-magic-cookie-to-VncState.patch
@@ -0,0 +1,160 @@
+From df2a48c11d014c568393d4909e05b7b251baa47d Mon Sep 17 00:00:00 2001
+From: jmaloy <jmaloy@redhat.com>
+Date: Thu, 7 May 2020 21:51:47 +0100
+Subject: [PATCH 1/2] vnc: add magic cookie to VncState
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: jmaloy <jmaloy@redhat.com>
+Message-id: <20200507215148.1201876-2-jmaloy@redhat.com>
+Patchwork-id: 96346
+O-Subject: [RHEL-8.2.0 qemu-kvm PATCH 1/2] vnc: add magic cookie to VncState
+Bugzilla: 1816763
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+RH-Acked-by: Danilo de Paula <ddepaula@redhat.com>
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-Acked-by: Daniel P. Berrange <berrange@redhat.com>
+
+From: Gerd Hoffmann <kraxel@redhat.com>
+
+Set magic cookie on initialization. Clear on cleanup. Sprinkle a bunch
+of assert()s checking the cookie, to verify the pointer is valid.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 20180507102254.12107-1-kraxel@redhat.com
+
+(cherry picked from commit f31f9c1080d8907c95f1501c6abab038eceb5490)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ ui/vnc-jobs.c | 4 ++++
+ ui/vnc.c | 10 +++++++++-
+ ui/vnc.h | 3 +++
+ 3 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/ui/vnc-jobs.c b/ui/vnc-jobs.c
+index 868ddde..b0b15d4 100644
+--- a/ui/vnc-jobs.c
++++ b/ui/vnc-jobs.c
+@@ -82,6 +82,7 @@ VncJob *vnc_job_new(VncState *vs)
+ {
+ VncJob *job = g_new0(VncJob, 1);
+
++ assert(vs->magic == VNC_MAGIC);
+ job->vs = vs;
+ vnc_lock_queue(queue);
+ QLIST_INIT(&job->rectangles);
+@@ -214,6 +215,7 @@ static int vnc_worker_thread_loop(VncJobQueue *queue)
+ /* Here job can only be NULL if queue->exit is true */
+ job = QTAILQ_FIRST(&queue->jobs);
+ vnc_unlock_queue(queue);
++ assert(job->vs->magic == VNC_MAGIC);
+
+ if (queue->exit) {
+ return -1;
+@@ -236,6 +238,7 @@ static int vnc_worker_thread_loop(VncJobQueue *queue)
+
+ /* Make a local copy of vs and switch output buffers */
+ vnc_async_encoding_start(job->vs, &vs);
++ vs.magic = VNC_MAGIC;
+
+ /* Start sending rectangles */
+ n_rectangles = 0;
+@@ -289,6 +292,7 @@ disconnected:
+ vnc_unlock_queue(queue);
+ qemu_cond_broadcast(&queue->cond);
+ g_free(job);
++ vs.magic = 0;
+ return 0;
+ }
+
+diff --git a/ui/vnc.c b/ui/vnc.c
+index 0bd44f1..dbbc76e 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -1157,6 +1157,7 @@ static void audio_capture_notify(void *opaque, audcnotification_e cmd)
+ {
+ VncState *vs = opaque;
+
++ assert(vs->magic == VNC_MAGIC);
+ switch (cmd) {
+ case AUD_CNOTIFY_DISABLE:
+ vnc_lock_output(vs);
+@@ -1186,6 +1187,7 @@ static void audio_capture(void *opaque, void *buf, int size)
+ {
+ VncState *vs = opaque;
+
++ assert(vs->magic == VNC_MAGIC);
+ vnc_lock_output(vs);
+ if (vs->output.offset < vs->throttle_output_offset) {
+ vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
+@@ -1294,6 +1296,7 @@ void vnc_disconnect_finish(VncState *vs)
+ vs->ioc = NULL;
+ object_unref(OBJECT(vs->sioc));
+ vs->sioc = NULL;
++ vs->magic = 0;
+ g_free(vs);
+ }
+
+@@ -1433,7 +1436,7 @@ static void vnc_client_write_locked(VncState *vs)
+
+ static void vnc_client_write(VncState *vs)
+ {
+-
++ assert(vs->magic == VNC_MAGIC);
+ vnc_lock_output(vs);
+ if (vs->output.offset) {
+ vnc_client_write_locked(vs);
+@@ -1506,6 +1509,7 @@ static void vnc_jobs_bh(void *opaque)
+ {
+ VncState *vs = opaque;
+
++ assert(vs->magic == VNC_MAGIC);
+ vnc_jobs_consume_buffer(vs);
+ }
+
+@@ -1556,6 +1560,8 @@ gboolean vnc_client_io(QIOChannel *ioc G_GNUC_UNUSED,
+ GIOCondition condition, void *opaque)
+ {
+ VncState *vs = opaque;
++
++ assert(vs->magic == VNC_MAGIC);
+ if (condition & G_IO_IN) {
+ if (vnc_client_read(vs) < 0) {
+ goto end;
+@@ -1586,6 +1592,7 @@ end:
+
+ void vnc_write(VncState *vs, const void *data, size_t len)
+ {
++ assert(vs->magic == VNC_MAGIC);
+ if (vs->disconnecting) {
+ return;
+ }
+@@ -3082,6 +3089,7 @@ static void vnc_connect(VncDisplay *vd, QIOChannelSocket *sioc,
+ int i;
+
+ trace_vnc_client_connect(vs, sioc);
++ vs->magic = VNC_MAGIC;
+ vs->sioc = sioc;
+ object_ref(OBJECT(vs->sioc));
+ vs->ioc = QIO_CHANNEL(sioc);
+diff --git a/ui/vnc.h b/ui/vnc.h
+index 7b29def..7626329 100644
+--- a/ui/vnc.h
++++ b/ui/vnc.h
+@@ -255,8 +255,11 @@ typedef enum {
+ VNC_STATE_UPDATE_FORCE,
+ } VncStateUpdate;
+
++#define VNC_MAGIC ((uint64_t)0x05b3f069b3d204bb)
++
+ struct VncState
+ {
++ uint64_t magic;
+ QIOChannelSocket *sioc; /* The underlying socket */
+ QIOChannel *ioc; /* The channel currently used for I/O */
+ guint ioc_tag;
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-vnc-fix-memory-leak-when-vnc-disconnect.patch b/SOURCES/kvm-vnc-fix-memory-leak-when-vnc-disconnect.patch
new file mode 100644
index 0000000..c7a988d
--- /dev/null
+++ b/SOURCES/kvm-vnc-fix-memory-leak-when-vnc-disconnect.patch
@@ -0,0 +1,1033 @@
+From 0b97bae6cad6c7da8cd0f489249f140615b0b07e Mon Sep 17 00:00:00 2001
+From: jmaloy <jmaloy@redhat.com>
+Date: Thu, 7 May 2020 21:51:48 +0100
+Subject: [PATCH 2/2] vnc: fix memory leak when vnc disconnect
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: jmaloy <jmaloy@redhat.com>
+Message-id: <20200507215148.1201876-3-jmaloy@redhat.com>
+Patchwork-id: 96345
+O-Subject: [RHEL-8.2.0 qemu-kvm PATCH 2/2] vnc: fix memory leak when vnc disconnect
+Bugzilla: 1816763
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+RH-Acked-by: Danilo de Paula <ddepaula@redhat.com>
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-Acked-by: Daniel P. Berrange <berrange@redhat.com>
+
+From: Li Qiang <liq3ea@163.com>
+
+Currently when qemu receives a vnc connect, it creates a 'VncState' to
+represent this connection. In 'vnc_worker_thread_loop' it creates a
+local 'VncState'. The connection 'VcnState' and local 'VncState' exchange
+data in 'vnc_async_encoding_start' and 'vnc_async_encoding_end'.
+In 'zrle_compress_data' it calls 'deflateInit2' to allocate the libz library
+opaque data. The 'VncState' used in 'zrle_compress_data' is the local
+'VncState'. In 'vnc_zrle_clear' it calls 'deflateEnd' to free the libz
+library opaque data. The 'VncState' used in 'vnc_zrle_clear' is the connection
+'VncState'. In currently implementation there will be a memory leak when the
+vnc disconnect. Following is the asan output backtrack:
+
+Direct leak of 29760 byte(s) in 5 object(s) allocated from:
+ 0 0xffffa67ef3c3 in __interceptor_calloc (/lib64/libasan.so.4+0xd33c3)
+ 1 0xffffa65071cb in g_malloc0 (/lib64/libglib-2.0.so.0+0x571cb)
+ 2 0xffffa5e968f7 in deflateInit2_ (/lib64/libz.so.1+0x78f7)
+ 3 0xaaaacec58613 in zrle_compress_data ui/vnc-enc-zrle.c:87
+ 4 0xaaaacec58613 in zrle_send_framebuffer_update ui/vnc-enc-zrle.c:344
+ 5 0xaaaacec34e77 in vnc_send_framebuffer_update ui/vnc.c:919
+ 6 0xaaaacec5e023 in vnc_worker_thread_loop ui/vnc-jobs.c:271
+ 7 0xaaaacec5e5e7 in vnc_worker_thread ui/vnc-jobs.c:340
+ 8 0xaaaacee4d3c3 in qemu_thread_start util/qemu-thread-posix.c:502
+ 9 0xffffa544e8bb in start_thread (/lib64/libpthread.so.0+0x78bb)
+ 10 0xffffa53965cb in thread_start (/lib64/libc.so.6+0xd55cb)
+
+This is because the opaque allocated in 'deflateInit2' is not freed in
+'deflateEnd'. The reason is that the 'deflateEnd' calls 'deflateStateCheck'
+and in the latter will check whether 's->strm != strm'(libz's data structure).
+This check will be true so in 'deflateEnd' it just return 'Z_STREAM_ERROR' and
+not free the data allocated in 'deflateInit2'.
+
+The reason this happens is that the 'VncState' contains the whole 'VncZrle',
+so when calling 'deflateInit2', the 's->strm' will be the local address.
+So 's->strm != strm' will be true.
+
+To fix this issue, we need to make 'zrle' of 'VncState' to be a pointer.
+Then the connection 'VncState' and local 'VncState' exchange mechanism will
+work as expection. The 'tight' of 'VncState' has the same issue, let's also turn
+it to a pointer.
+
+Reported-by: Ying Fang <fangying1@huawei.com>
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Message-id: 20190831153922.121308-1-liq3ea@163.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+(cherry picked from commit 6bf21f3d83e95bcc4ba35a7a07cc6655e8b010b0)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ ui/vnc-enc-tight.c | 219 +++++++++++++++++++++++----------------------
+ ui/vnc-enc-zlib.c | 11 +--
+ ui/vnc-enc-zrle-template.c | 2 +-
+ ui/vnc-enc-zrle.c | 68 +++++++-------
+ ui/vnc.c | 28 +++---
+ ui/vnc.h | 4 +-
+ 6 files changed, 170 insertions(+), 162 deletions(-)
+
+diff --git a/ui/vnc-enc-tight.c b/ui/vnc-enc-tight.c
+index f38aceb..9ce2b42 100644
+--- a/ui/vnc-enc-tight.c
++++ b/ui/vnc-enc-tight.c
+@@ -117,7 +117,7 @@ static int send_png_rect(VncState *vs, int x, int y, int w, int h,
+
+ static bool tight_can_send_png_rect(VncState *vs, int w, int h)
+ {
+- if (vs->tight.type != VNC_ENCODING_TIGHT_PNG) {
++ if (vs->tight->type != VNC_ENCODING_TIGHT_PNG) {
+ return false;
+ }
+
+@@ -145,7 +145,7 @@ tight_detect_smooth_image24(VncState *vs, int w, int h)
+ int pixels = 0;
+ int pix, left[3];
+ unsigned int errors;
+- unsigned char *buf = vs->tight.tight.buffer;
++ unsigned char *buf = vs->tight->tight.buffer;
+
+ /*
+ * If client is big-endian, color samples begin from the second
+@@ -216,7 +216,7 @@ tight_detect_smooth_image24(VncState *vs, int w, int h)
+ int pixels = 0; \
+ int sample, sum, left[3]; \
+ unsigned int errors; \
+- unsigned char *buf = vs->tight.tight.buffer; \
++ unsigned char *buf = vs->tight->tight.buffer; \
+ \
+ endian = 0; /* FIXME */ \
+ \
+@@ -297,8 +297,8 @@ static int
+ tight_detect_smooth_image(VncState *vs, int w, int h)
+ {
+ unsigned int errors;
+- int compression = vs->tight.compression;
+- int quality = vs->tight.quality;
++ int compression = vs->tight->compression;
++ int quality = vs->tight->quality;
+
+ if (!vs->vd->lossy) {
+ return 0;
+@@ -310,7 +310,7 @@ tight_detect_smooth_image(VncState *vs, int w, int h)
+ return 0;
+ }
+
+- if (vs->tight.quality != (uint8_t)-1) {
++ if (vs->tight->quality != (uint8_t)-1) {
+ if (w * h < VNC_TIGHT_JPEG_MIN_RECT_SIZE) {
+ return 0;
+ }
+@@ -321,9 +321,9 @@ tight_detect_smooth_image(VncState *vs, int w, int h)
+ }
+
+ if (vs->client_pf.bytes_per_pixel == 4) {
+- if (vs->tight.pixel24) {
++ if (vs->tight->pixel24) {
+ errors = tight_detect_smooth_image24(vs, w, h);
+- if (vs->tight.quality != (uint8_t)-1) {
++ if (vs->tight->quality != (uint8_t)-1) {
+ return (errors < tight_conf[quality].jpeg_threshold24);
+ }
+ return (errors < tight_conf[compression].gradient_threshold24);
+@@ -353,7 +353,7 @@ tight_detect_smooth_image(VncState *vs, int w, int h)
+ uint##bpp##_t c0, c1, ci; \
+ int i, n0, n1; \
+ \
+- data = (uint##bpp##_t *)vs->tight.tight.buffer; \
++ data = (uint##bpp##_t *)vs->tight->tight.buffer; \
+ \
+ c0 = data[0]; \
+ i = 1; \
+@@ -424,9 +424,9 @@ static int tight_fill_palette(VncState *vs, int x, int y,
+ {
+ int max;
+
+- max = count / tight_conf[vs->tight.compression].idx_max_colors_divisor;
++ max = count / tight_conf[vs->tight->compression].idx_max_colors_divisor;
+ if (max < 2 &&
+- count >= tight_conf[vs->tight.compression].mono_min_rect_size) {
++ count >= tight_conf[vs->tight->compression].mono_min_rect_size) {
+ max = 2;
+ }
+ if (max >= 256) {
+@@ -559,7 +559,7 @@ tight_filter_gradient24(VncState *vs, uint8_t *buf, int w, int h)
+ int x, y, c;
+
+ buf32 = (uint32_t *)buf;
+- memset(vs->tight.gradient.buffer, 0, w * 3 * sizeof(int));
++ memset(vs->tight->gradient.buffer, 0, w * 3 * sizeof(int));
+
+ if (1 /* FIXME */) {
+ shift[0] = vs->client_pf.rshift;
+@@ -576,7 +576,7 @@ tight_filter_gradient24(VncState *vs, uint8_t *buf, int w, int h)
+ upper[c] = 0;
+ here[c] = 0;
+ }
+- prev = (int *)vs->tight.gradient.buffer;
++ prev = (int *)vs->tight->gradient.buffer;
+ for (x = 0; x < w; x++) {
+ pix32 = *buf32++;
+ for (c = 0; c < 3; c++) {
+@@ -616,7 +616,7 @@ tight_filter_gradient24(VncState *vs, uint8_t *buf, int w, int h)
+ int prediction; \
+ int x, y, c; \
+ \
+- memset (vs->tight.gradient.buffer, 0, w * 3 * sizeof(int)); \
++ memset(vs->tight->gradient.buffer, 0, w * 3 * sizeof(int)); \
+ \
+ endian = 0; /* FIXME */ \
+ \
+@@ -632,7 +632,7 @@ tight_filter_gradient24(VncState *vs, uint8_t *buf, int w, int h)
+ upper[c] = 0; \
+ here[c] = 0; \
+ } \
+- prev = (int *)vs->tight.gradient.buffer; \
++ prev = (int *)vs->tight->gradient.buffer; \
+ for (x = 0; x < w; x++) { \
+ pix = *buf; \
+ if (endian) { \
+@@ -786,7 +786,7 @@ static void extend_solid_area(VncState *vs, int x, int y, int w, int h,
+ static int tight_init_stream(VncState *vs, int stream_id,
+ int level, int strategy)
+ {
+- z_streamp zstream = &vs->tight.stream[stream_id];
++ z_streamp zstream = &vs->tight->stream[stream_id];
+
+ if (zstream->opaque == NULL) {
+ int err;
+@@ -804,15 +804,15 @@ static int tight_init_stream(VncState *vs, int stream_id,
+ return -1;
+ }
+
+- vs->tight.levels[stream_id] = level;
++ vs->tight->levels[stream_id] = level;
+ zstream->opaque = vs;
+ }
+
+- if (vs->tight.levels[stream_id] != level) {
++ if (vs->tight->levels[stream_id] != level) {
+ if (deflateParams(zstream, level, strategy) != Z_OK) {
+ return -1;
+ }
+- vs->tight.levels[stream_id] = level;
++ vs->tight->levels[stream_id] = level;
+ }
+ return 0;
+ }
+@@ -840,11 +840,11 @@ static void tight_send_compact_size(VncState *vs, size_t len)
+ static int tight_compress_data(VncState *vs, int stream_id, size_t bytes,
+ int level, int strategy)
+ {
+- z_streamp zstream = &vs->tight.stream[stream_id];
++ z_streamp zstream = &vs->tight->stream[stream_id];
+ int previous_out;
+
+ if (bytes < VNC_TIGHT_MIN_TO_COMPRESS) {
+- vnc_write(vs, vs->tight.tight.buffer, vs->tight.tight.offset);
++ vnc_write(vs, vs->tight->tight.buffer, vs->tight->tight.offset);
+ return bytes;
+ }
+
+@@ -853,13 +853,13 @@ static int tight_compress_data(VncState *vs, int stream_id, size_t bytes,
+ }
+
+ /* reserve memory in output buffer */
+- buffer_reserve(&vs->tight.zlib, bytes + 64);
++ buffer_reserve(&vs->tight->zlib, bytes + 64);
+
+ /* set pointers */
+- zstream->next_in = vs->tight.tight.buffer;
+- zstream->avail_in = vs->tight.tight.offset;
+- zstream->next_out = vs->tight.zlib.buffer + vs->tight.zlib.offset;
+- zstream->avail_out = vs->tight.zlib.capacity - vs->tight.zlib.offset;
++ zstream->next_in = vs->tight->tight.buffer;
++ zstream->avail_in = vs->tight->tight.offset;
++ zstream->next_out = vs->tight->zlib.buffer + vs->tight->zlib.offset;
++ zstream->avail_out = vs->tight->zlib.capacity - vs->tight->zlib.offset;
+ previous_out = zstream->avail_out;
+ zstream->data_type = Z_BINARY;
+
+@@ -869,14 +869,14 @@ static int tight_compress_data(VncState *vs, int stream_id, size_t bytes,
+ return -1;
+ }
+
+- vs->tight.zlib.offset = vs->tight.zlib.capacity - zstream->avail_out;
++ vs->tight->zlib.offset = vs->tight->zlib.capacity - zstream->avail_out;
+ /* ...how much data has actually been produced by deflate() */
+ bytes = previous_out - zstream->avail_out;
+
+ tight_send_compact_size(vs, bytes);
+- vnc_write(vs, vs->tight.zlib.buffer, bytes);
++ vnc_write(vs, vs->tight->zlib.buffer, bytes);
+
+- buffer_reset(&vs->tight.zlib);
++ buffer_reset(&vs->tight->zlib);
+
+ return bytes;
+ }
+@@ -927,16 +927,17 @@ static int send_full_color_rect(VncState *vs, int x, int y, int w, int h)
+
+ vnc_write_u8(vs, stream << 4); /* no flushing, no filter */
+
+- if (vs->tight.pixel24) {
+- tight_pack24(vs, vs->tight.tight.buffer, w * h, &vs->tight.tight.offset);
++ if (vs->tight->pixel24) {
++ tight_pack24(vs, vs->tight->tight.buffer, w * h,
++ &vs->tight->tight.offset);
+ bytes = 3;
+ } else {
+ bytes = vs->client_pf.bytes_per_pixel;
+ }
+
+ bytes = tight_compress_data(vs, stream, w * h * bytes,
+- tight_conf[vs->tight.compression].raw_zlib_level,
+- Z_DEFAULT_STRATEGY);
++ tight_conf[vs->tight->compression].raw_zlib_level,
++ Z_DEFAULT_STRATEGY);
+
+ return (bytes >= 0);
+ }
+@@ -947,14 +948,14 @@ static int send_solid_rect(VncState *vs)
+
+ vnc_write_u8(vs, VNC_TIGHT_FILL << 4); /* no flushing, no filter */
+
+- if (vs->tight.pixel24) {
+- tight_pack24(vs, vs->tight.tight.buffer, 1, &vs->tight.tight.offset);
++ if (vs->tight->pixel24) {
++ tight_pack24(vs, vs->tight->tight.buffer, 1, &vs->tight->tight.offset);
+ bytes = 3;
+ } else {
+ bytes = vs->client_pf.bytes_per_pixel;
+ }
+
+- vnc_write(vs, vs->tight.tight.buffer, bytes);
++ vnc_write(vs, vs->tight->tight.buffer, bytes);
+ return 1;
+ }
+
+@@ -963,7 +964,7 @@ static int send_mono_rect(VncState *vs, int x, int y,
+ {
+ ssize_t bytes;
+ int stream = 1;
+- int level = tight_conf[vs->tight.compression].mono_zlib_level;
++ int level = tight_conf[vs->tight->compression].mono_zlib_level;
+
+ #ifdef CONFIG_VNC_PNG
+ if (tight_can_send_png_rect(vs, w, h)) {
+@@ -991,26 +992,26 @@ static int send_mono_rect(VncState *vs, int x, int y,
+ uint32_t buf[2] = {bg, fg};
+ size_t ret = sizeof (buf);
+
+- if (vs->tight.pixel24) {
++ if (vs->tight->pixel24) {
+ tight_pack24(vs, (unsigned char*)buf, 2, &ret);
+ }
+ vnc_write(vs, buf, ret);
+
+- tight_encode_mono_rect32(vs->tight.tight.buffer, w, h, bg, fg);
++ tight_encode_mono_rect32(vs->tight->tight.buffer, w, h, bg, fg);
+ break;
+ }
+ case 2:
+ vnc_write(vs, &bg, 2);
+ vnc_write(vs, &fg, 2);
+- tight_encode_mono_rect16(vs->tight.tight.buffer, w, h, bg, fg);
++ tight_encode_mono_rect16(vs->tight->tight.buffer, w, h, bg, fg);
+ break;
+ default:
+ vnc_write_u8(vs, bg);
+ vnc_write_u8(vs, fg);
+- tight_encode_mono_rect8(vs->tight.tight.buffer, w, h, bg, fg);
++ tight_encode_mono_rect8(vs->tight->tight.buffer, w, h, bg, fg);
+ break;
+ }
+- vs->tight.tight.offset = bytes;
++ vs->tight->tight.offset = bytes;
+
+ bytes = tight_compress_data(vs, stream, bytes, level, Z_DEFAULT_STRATEGY);
+ return (bytes >= 0);
+@@ -1040,7 +1041,7 @@ static void write_palette(int idx, uint32_t color, void *opaque)
+ static bool send_gradient_rect(VncState *vs, int x, int y, int w, int h)
+ {
+ int stream = 3;
+- int level = tight_conf[vs->tight.compression].gradient_zlib_level;
++ int level = tight_conf[vs->tight->compression].gradient_zlib_level;
+ ssize_t bytes;
+
+ if (vs->client_pf.bytes_per_pixel == 1) {
+@@ -1050,23 +1051,23 @@ static bool send_gradient_rect(VncState *vs, int x, int y, int w, int h)
+ vnc_write_u8(vs, (stream | VNC_TIGHT_EXPLICIT_FILTER) << 4);
+ vnc_write_u8(vs, VNC_TIGHT_FILTER_GRADIENT);
+
+- buffer_reserve(&vs->tight.gradient, w * 3 * sizeof (int));
++ buffer_reserve(&vs->tight->gradient, w * 3 * sizeof(int));
+
+- if (vs->tight.pixel24) {
+- tight_filter_gradient24(vs, vs->tight.tight.buffer, w, h);
++ if (vs->tight->pixel24) {
++ tight_filter_gradient24(vs, vs->tight->tight.buffer, w, h);
+ bytes = 3;
+ } else if (vs->client_pf.bytes_per_pixel == 4) {
+- tight_filter_gradient32(vs, (uint32_t *)vs->tight.tight.buffer, w, h);
++ tight_filter_gradient32(vs, (uint32_t *)vs->tight->tight.buffer, w, h);
+ bytes = 4;
+ } else {
+- tight_filter_gradient16(vs, (uint16_t *)vs->tight.tight.buffer, w, h);
++ tight_filter_gradient16(vs, (uint16_t *)vs->tight->tight.buffer, w, h);
+ bytes = 2;
+ }
+
+- buffer_reset(&vs->tight.gradient);
++ buffer_reset(&vs->tight->gradient);
+
+ bytes = w * h * bytes;
+- vs->tight.tight.offset = bytes;
++ vs->tight->tight.offset = bytes;
+
+ bytes = tight_compress_data(vs, stream, bytes,
+ level, Z_FILTERED);
+@@ -1077,7 +1078,7 @@ static int send_palette_rect(VncState *vs, int x, int y,
+ int w, int h, VncPalette *palette)
+ {
+ int stream = 2;
+- int level = tight_conf[vs->tight.compression].idx_zlib_level;
++ int level = tight_conf[vs->tight->compression].idx_zlib_level;
+ int colors;
+ ssize_t bytes;
+
+@@ -1104,12 +1105,12 @@ static int send_palette_rect(VncState *vs, int x, int y,
+ palette_iter(palette, write_palette, &priv);
+ vnc_write(vs, header, sizeof(header));
+
+- if (vs->tight.pixel24) {
++ if (vs->tight->pixel24) {
+ tight_pack24(vs, vs->output.buffer + old_offset, colors, &offset);
+ vs->output.offset = old_offset + offset;
+ }
+
+- tight_encode_indexed_rect32(vs->tight.tight.buffer, w * h, palette);
++ tight_encode_indexed_rect32(vs->tight->tight.buffer, w * h, palette);
+ break;
+ }
+ case 2:
+@@ -1119,7 +1120,7 @@ static int send_palette_rect(VncState *vs, int x, int y,
+
+ palette_iter(palette, write_palette, &priv);
+ vnc_write(vs, header, sizeof(header));
+- tight_encode_indexed_rect16(vs->tight.tight.buffer, w * h, palette);
++ tight_encode_indexed_rect16(vs->tight->tight.buffer, w * h, palette);
+ break;
+ }
+ default:
+@@ -1127,7 +1128,7 @@ static int send_palette_rect(VncState *vs, int x, int y,
+ break;
+ }
+ bytes = w * h;
+- vs->tight.tight.offset = bytes;
++ vs->tight->tight.offset = bytes;
+
+ bytes = tight_compress_data(vs, stream, bytes,
+ level, Z_DEFAULT_STRATEGY);
+@@ -1146,7 +1147,7 @@ static int send_palette_rect(VncState *vs, int x, int y,
+ static void jpeg_init_destination(j_compress_ptr cinfo)
+ {
+ VncState *vs = cinfo->client_data;
+- Buffer *buffer = &vs->tight.jpeg;
++ Buffer *buffer = &vs->tight->jpeg;
+
+ cinfo->dest->next_output_byte = (JOCTET *)buffer->buffer + buffer->offset;
+ cinfo->dest->free_in_buffer = (size_t)(buffer->capacity - buffer->offset);
+@@ -1156,7 +1157,7 @@ static void jpeg_init_destination(j_compress_ptr cinfo)
+ static boolean jpeg_empty_output_buffer(j_compress_ptr cinfo)
+ {
+ VncState *vs = cinfo->client_data;
+- Buffer *buffer = &vs->tight.jpeg;
++ Buffer *buffer = &vs->tight->jpeg;
+
+ buffer->offset = buffer->capacity;
+ buffer_reserve(buffer, 2048);
+@@ -1168,7 +1169,7 @@ static boolean jpeg_empty_output_buffer(j_compress_ptr cinfo)
+ static void jpeg_term_destination(j_compress_ptr cinfo)
+ {
+ VncState *vs = cinfo->client_data;
+- Buffer *buffer = &vs->tight.jpeg;
++ Buffer *buffer = &vs->tight->jpeg;
+
+ buffer->offset = buffer->capacity - cinfo->dest->free_in_buffer;
+ }
+@@ -1187,7 +1188,7 @@ static int send_jpeg_rect(VncState *vs, int x, int y, int w, int h, int quality)
+ return send_full_color_rect(vs, x, y, w, h);
+ }
+
+- buffer_reserve(&vs->tight.jpeg, 2048);
++ buffer_reserve(&vs->tight->jpeg, 2048);
+
+ cinfo.err = jpeg_std_error(&jerr);
+ jpeg_create_compress(&cinfo);
+@@ -1222,9 +1223,9 @@ static int send_jpeg_rect(VncState *vs, int x, int y, int w, int h, int quality)
+
+ vnc_write_u8(vs, VNC_TIGHT_JPEG << 4);
+
+- tight_send_compact_size(vs, vs->tight.jpeg.offset);
+- vnc_write(vs, vs->tight.jpeg.buffer, vs->tight.jpeg.offset);
+- buffer_reset(&vs->tight.jpeg);
++ tight_send_compact_size(vs, vs->tight->jpeg.offset);
++ vnc_write(vs, vs->tight->jpeg.buffer, vs->tight->jpeg.offset);
++ buffer_reset(&vs->tight->jpeg);
+
+ return 1;
+ }
+@@ -1240,7 +1241,7 @@ static void write_png_palette(int idx, uint32_t pix, void *opaque)
+ VncState *vs = priv->vs;
+ png_colorp color = &priv->png_palette[idx];
+
+- if (vs->tight.pixel24)
++ if (vs->tight->pixel24)
+ {
+ color->red = (pix >> vs->client_pf.rshift) & vs->client_pf.rmax;
+ color->green = (pix >> vs->client_pf.gshift) & vs->client_pf.gmax;
+@@ -1267,10 +1268,10 @@ static void png_write_data(png_structp png_ptr, png_bytep data,
+ {
+ VncState *vs = png_get_io_ptr(png_ptr);
+
+- buffer_reserve(&vs->tight.png, vs->tight.png.offset + length);
+- memcpy(vs->tight.png.buffer + vs->tight.png.offset, data, length);
++ buffer_reserve(&vs->tight->png, vs->tight->png.offset + length);
++ memcpy(vs->tight->png.buffer + vs->tight->png.offset, data, length);
+
+- vs->tight.png.offset += length;
++ vs->tight->png.offset += length;
+ }
+
+ static void png_flush_data(png_structp png_ptr)
+@@ -1295,8 +1296,8 @@ static int send_png_rect(VncState *vs, int x, int y, int w, int h,
+ png_infop info_ptr;
+ png_colorp png_palette = NULL;
+ pixman_image_t *linebuf;
+- int level = tight_png_conf[vs->tight.compression].png_zlib_level;
+- int filters = tight_png_conf[vs->tight.compression].png_filters;
++ int level = tight_png_conf[vs->tight->compression].png_zlib_level;
++ int filters = tight_png_conf[vs->tight->compression].png_filters;
+ uint8_t *buf;
+ int dy;
+
+@@ -1340,21 +1341,23 @@ static int send_png_rect(VncState *vs, int x, int y, int w, int h,
+ png_set_PLTE(png_ptr, info_ptr, png_palette, palette_size(palette));
+
+ if (vs->client_pf.bytes_per_pixel == 4) {
+- tight_encode_indexed_rect32(vs->tight.tight.buffer, w * h, palette);
++ tight_encode_indexed_rect32(vs->tight->tight.buffer, w * h,
++ palette);
+ } else {
+- tight_encode_indexed_rect16(vs->tight.tight.buffer, w * h, palette);
++ tight_encode_indexed_rect16(vs->tight->tight.buffer, w * h,
++ palette);
+ }
+ }
+
+ png_write_info(png_ptr, info_ptr);
+
+- buffer_reserve(&vs->tight.png, 2048);
++ buffer_reserve(&vs->tight->png, 2048);
+ linebuf = qemu_pixman_linebuf_create(PIXMAN_BE_r8g8b8, w);
+ buf = (uint8_t *)pixman_image_get_data(linebuf);
+ for (dy = 0; dy < h; dy++)
+ {
+ if (color_type == PNG_COLOR_TYPE_PALETTE) {
+- memcpy(buf, vs->tight.tight.buffer + (dy * w), w);
++ memcpy(buf, vs->tight->tight.buffer + (dy * w), w);
+ } else {
+ qemu_pixman_linebuf_fill(linebuf, vs->vd->server, w, x, y + dy);
+ }
+@@ -1372,27 +1375,27 @@ static int send_png_rect(VncState *vs, int x, int y, int w, int h,
+
+ vnc_write_u8(vs, VNC_TIGHT_PNG << 4);
+
+- tight_send_compact_size(vs, vs->tight.png.offset);
+- vnc_write(vs, vs->tight.png.buffer, vs->tight.png.offset);
+- buffer_reset(&vs->tight.png);
++ tight_send_compact_size(vs, vs->tight->png.offset);
++ vnc_write(vs, vs->tight->png.buffer, vs->tight->png.offset);
++ buffer_reset(&vs->tight->png);
+ return 1;
+ }
+ #endif /* CONFIG_VNC_PNG */
+
+ static void vnc_tight_start(VncState *vs)
+ {
+- buffer_reset(&vs->tight.tight);
++ buffer_reset(&vs->tight->tight);
+
+ // make the output buffer be the zlib buffer, so we can compress it later
+- vs->tight.tmp = vs->output;
+- vs->output = vs->tight.tight;
++ vs->tight->tmp = vs->output;
++ vs->output = vs->tight->tight;
+ }
+
+ static void vnc_tight_stop(VncState *vs)
+ {
+ // switch back to normal output/zlib buffers
+- vs->tight.tight = vs->output;
+- vs->output = vs->tight.tmp;
++ vs->tight->tight = vs->output;
++ vs->output = vs->tight->tmp;
+ }
+
+ static int send_sub_rect_nojpeg(VncState *vs, int x, int y, int w, int h,
+@@ -1426,9 +1429,9 @@ static int send_sub_rect_jpeg(VncState *vs, int x, int y, int w, int h,
+ int ret;
+
+ if (colors == 0) {
+- if (force || (tight_jpeg_conf[vs->tight.quality].jpeg_full &&
++ if (force || (tight_jpeg_conf[vs->tight->quality].jpeg_full &&
+ tight_detect_smooth_image(vs, w, h))) {
+- int quality = tight_conf[vs->tight.quality].jpeg_quality;
++ int quality = tight_conf[vs->tight->quality].jpeg_quality;
+
+ ret = send_jpeg_rect(vs, x, y, w, h, quality);
+ } else {
+@@ -1440,9 +1443,9 @@ static int send_sub_rect_jpeg(VncState *vs, int x, int y, int w, int h,
+ ret = send_mono_rect(vs, x, y, w, h, bg, fg);
+ } else if (colors <= 256) {
+ if (force || (colors > 96 &&
+- tight_jpeg_conf[vs->tight.quality].jpeg_idx &&
++ tight_jpeg_conf[vs->tight->quality].jpeg_idx &&
+ tight_detect_smooth_image(vs, w, h))) {
+- int quality = tight_conf[vs->tight.quality].jpeg_quality;
++ int quality = tight_conf[vs->tight->quality].jpeg_quality;
+
+ ret = send_jpeg_rect(vs, x, y, w, h, quality);
+ } else {
+@@ -1480,20 +1483,20 @@ static int send_sub_rect(VncState *vs, int x, int y, int w, int h)
+ qemu_thread_atexit_add(&vnc_tight_cleanup_notifier);
+ }
+
+- vnc_framebuffer_update(vs, x, y, w, h, vs->tight.type);
++ vnc_framebuffer_update(vs, x, y, w, h, vs->tight->type);
+
+ vnc_tight_start(vs);
+ vnc_raw_send_framebuffer_update(vs, x, y, w, h);
+ vnc_tight_stop(vs);
+
+ #ifdef CONFIG_VNC_JPEG
+- if (!vs->vd->non_adaptive && vs->tight.quality != (uint8_t)-1) {
++ if (!vs->vd->non_adaptive && vs->tight->quality != (uint8_t)-1) {
+ double freq = vnc_update_freq(vs, x, y, w, h);
+
+- if (freq < tight_jpeg_conf[vs->tight.quality].jpeg_freq_min) {
++ if (freq < tight_jpeg_conf[vs->tight->quality].jpeg_freq_min) {
+ allow_jpeg = false;
+ }
+- if (freq >= tight_jpeg_conf[vs->tight.quality].jpeg_freq_threshold) {
++ if (freq >= tight_jpeg_conf[vs->tight->quality].jpeg_freq_threshold) {
+ force_jpeg = true;
+ vnc_sent_lossy_rect(vs, x, y, w, h);
+ }
+@@ -1503,7 +1506,7 @@ static int send_sub_rect(VncState *vs, int x, int y, int w, int h)
+ colors = tight_fill_palette(vs, x, y, w * h, &bg, &fg, color_count_palette);
+
+ #ifdef CONFIG_VNC_JPEG
+- if (allow_jpeg && vs->tight.quality != (uint8_t)-1) {
++ if (allow_jpeg && vs->tight->quality != (uint8_t)-1) {
+ ret = send_sub_rect_jpeg(vs, x, y, w, h, bg, fg, colors,
+ color_count_palette, force_jpeg);
+ } else {
+@@ -1520,7 +1523,7 @@ static int send_sub_rect(VncState *vs, int x, int y, int w, int h)
+
+ static int send_sub_rect_solid(VncState *vs, int x, int y, int w, int h)
+ {
+- vnc_framebuffer_update(vs, x, y, w, h, vs->tight.type);
++ vnc_framebuffer_update(vs, x, y, w, h, vs->tight->type);
+
+ vnc_tight_start(vs);
+ vnc_raw_send_framebuffer_update(vs, x, y, w, h);
+@@ -1538,8 +1541,8 @@ static int send_rect_simple(VncState *vs, int x, int y, int w, int h,
+ int rw, rh;
+ int n = 0;
+
+- max_size = tight_conf[vs->tight.compression].max_rect_size;
+- max_width = tight_conf[vs->tight.compression].max_rect_width;
++ max_size = tight_conf[vs->tight->compression].max_rect_size;
++ max_width = tight_conf[vs->tight->compression].max_rect_width;
+
+ if (split && (w > max_width || w * h > max_size)) {
+ max_sub_width = (w > max_width) ? max_width : w;
+@@ -1648,16 +1651,16 @@ static int tight_send_framebuffer_update(VncState *vs, int x, int y,
+
+ if (vs->client_pf.bytes_per_pixel == 4 && vs->client_pf.rmax == 0xFF &&
+ vs->client_pf.bmax == 0xFF && vs->client_pf.gmax == 0xFF) {
+- vs->tight.pixel24 = true;
++ vs->tight->pixel24 = true;
+ } else {
+- vs->tight.pixel24 = false;
++ vs->tight->pixel24 = false;
+ }
+
+ #ifdef CONFIG_VNC_JPEG
+- if (vs->tight.quality != (uint8_t)-1) {
++ if (vs->tight->quality != (uint8_t)-1) {
+ double freq = vnc_update_freq(vs, x, y, w, h);
+
+- if (freq > tight_jpeg_conf[vs->tight.quality].jpeg_freq_threshold) {
++ if (freq > tight_jpeg_conf[vs->tight->quality].jpeg_freq_threshold) {
+ return send_rect_simple(vs, x, y, w, h, false);
+ }
+ }
+@@ -1669,8 +1672,8 @@ static int tight_send_framebuffer_update(VncState *vs, int x, int y,
+
+ /* Calculate maximum number of rows in one non-solid rectangle. */
+
+- max_rows = tight_conf[vs->tight.compression].max_rect_size;
+- max_rows /= MIN(tight_conf[vs->tight.compression].max_rect_width, w);
++ max_rows = tight_conf[vs->tight->compression].max_rect_size;
++ max_rows /= MIN(tight_conf[vs->tight->compression].max_rect_width, w);
+
+ return find_large_solid_color_rect(vs, x, y, w, h, max_rows);
+ }
+@@ -1678,33 +1681,33 @@ static int tight_send_framebuffer_update(VncState *vs, int x, int y,
+ int vnc_tight_send_framebuffer_update(VncState *vs, int x, int y,
+ int w, int h)
+ {
+- vs->tight.type = VNC_ENCODING_TIGHT;
++ vs->tight->type = VNC_ENCODING_TIGHT;
+ return tight_send_framebuffer_update(vs, x, y, w, h);
+ }
+
+ int vnc_tight_png_send_framebuffer_update(VncState *vs, int x, int y,
+ int w, int h)
+ {
+- vs->tight.type = VNC_ENCODING_TIGHT_PNG;
++ vs->tight->type = VNC_ENCODING_TIGHT_PNG;
+ return tight_send_framebuffer_update(vs, x, y, w, h);
+ }
+
+ void vnc_tight_clear(VncState *vs)
+ {
+ int i;
+- for (i=0; i<ARRAY_SIZE(vs->tight.stream); i++) {
+- if (vs->tight.stream[i].opaque) {
+- deflateEnd(&vs->tight.stream[i]);
++ for (i = 0; i < ARRAY_SIZE(vs->tight->stream); i++) {
++ if (vs->tight->stream[i].opaque) {
++ deflateEnd(&vs->tight->stream[i]);
+ }
+ }
+
+- buffer_free(&vs->tight.tight);
+- buffer_free(&vs->tight.zlib);
+- buffer_free(&vs->tight.gradient);
++ buffer_free(&vs->tight->tight);
++ buffer_free(&vs->tight->zlib);
++ buffer_free(&vs->tight->gradient);
+ #ifdef CONFIG_VNC_JPEG
+- buffer_free(&vs->tight.jpeg);
++ buffer_free(&vs->tight->jpeg);
+ #endif
+ #ifdef CONFIG_VNC_PNG
+- buffer_free(&vs->tight.png);
++ buffer_free(&vs->tight->png);
+ #endif
+ }
+diff --git a/ui/vnc-enc-zlib.c b/ui/vnc-enc-zlib.c
+index 33e9df2..900ae5b 100644
+--- a/ui/vnc-enc-zlib.c
++++ b/ui/vnc-enc-zlib.c
+@@ -76,7 +76,8 @@ static int vnc_zlib_stop(VncState *vs)
+ zstream->zalloc = vnc_zlib_zalloc;
+ zstream->zfree = vnc_zlib_zfree;
+
+- err = deflateInit2(zstream, vs->tight.compression, Z_DEFLATED, MAX_WBITS,
++ err = deflateInit2(zstream, vs->tight->compression, Z_DEFLATED,
++ MAX_WBITS,
+ MAX_MEM_LEVEL, Z_DEFAULT_STRATEGY);
+
+ if (err != Z_OK) {
+@@ -84,16 +85,16 @@ static int vnc_zlib_stop(VncState *vs)
+ return -1;
+ }
+
+- vs->zlib.level = vs->tight.compression;
++ vs->zlib.level = vs->tight->compression;
+ zstream->opaque = vs;
+ }
+
+- if (vs->tight.compression != vs->zlib.level) {
+- if (deflateParams(zstream, vs->tight.compression,
++ if (vs->tight->compression != vs->zlib.level) {
++ if (deflateParams(zstream, vs->tight->compression,
+ Z_DEFAULT_STRATEGY) != Z_OK) {
+ return -1;
+ }
+- vs->zlib.level = vs->tight.compression;
++ vs->zlib.level = vs->tight->compression;
+ }
+
+ // reserve memory in output buffer
+diff --git a/ui/vnc-enc-zrle-template.c b/ui/vnc-enc-zrle-template.c
+index abf6b86..c107d8a 100644
+--- a/ui/vnc-enc-zrle-template.c
++++ b/ui/vnc-enc-zrle-template.c
+@@ -96,7 +96,7 @@ static void ZRLE_ENCODE(VncState *vs, int x, int y, int w, int h,
+ static void ZRLE_ENCODE_TILE(VncState *vs, ZRLE_PIXEL *data, int w, int h,
+ int zywrle_level)
+ {
+- VncPalette *palette = &vs->zrle.palette;
++ VncPalette *palette = &vs->zrle->palette;
+
+ int runs = 0;
+ int single_pixels = 0;
+diff --git a/ui/vnc-enc-zrle.c b/ui/vnc-enc-zrle.c
+index fd63d4f..3d259ed 100644
+--- a/ui/vnc-enc-zrle.c
++++ b/ui/vnc-enc-zrle.c
+@@ -37,18 +37,18 @@ static const int bits_per_packed_pixel[] = {
+
+ static void vnc_zrle_start(VncState *vs)
+ {
+- buffer_reset(&vs->zrle.zrle);
++ buffer_reset(&vs->zrle->zrle);
+
+ /* make the output buffer be the zlib buffer, so we can compress it later */
+- vs->zrle.tmp = vs->output;
+- vs->output = vs->zrle.zrle;
++ vs->zrle->tmp = vs->output;
++ vs->output = vs->zrle->zrle;
+ }
+
+ static void vnc_zrle_stop(VncState *vs)
+ {
+ /* switch back to normal output/zlib buffers */
+- vs->zrle.zrle = vs->output;
+- vs->output = vs->zrle.tmp;
++ vs->zrle->zrle = vs->output;
++ vs->output = vs->zrle->tmp;
+ }
+
+ static void *zrle_convert_fb(VncState *vs, int x, int y, int w, int h,
+@@ -56,24 +56,24 @@ static void *zrle_convert_fb(VncState *vs, int x, int y, int w, int h,
+ {
+ Buffer tmp;
+
+- buffer_reset(&vs->zrle.fb);
+- buffer_reserve(&vs->zrle.fb, w * h * bpp + bpp);
++ buffer_reset(&vs->zrle->fb);
++ buffer_reserve(&vs->zrle->fb, w * h * bpp + bpp);
+
+ tmp = vs->output;
+- vs->output = vs->zrle.fb;
++ vs->output = vs->zrle->fb;
+
+ vnc_raw_send_framebuffer_update(vs, x, y, w, h);
+
+- vs->zrle.fb = vs->output;
++ vs->zrle->fb = vs->output;
+ vs->output = tmp;
+- return vs->zrle.fb.buffer;
++ return vs->zrle->fb.buffer;
+ }
+
+ static int zrle_compress_data(VncState *vs, int level)
+ {
+- z_streamp zstream = &vs->zrle.stream;
++ z_streamp zstream = &vs->zrle->stream;
+
+- buffer_reset(&vs->zrle.zlib);
++ buffer_reset(&vs->zrle->zlib);
+
+ if (zstream->opaque != vs) {
+ int err;
+@@ -93,13 +93,13 @@ static int zrle_compress_data(VncState *vs, int level)
+ }
+
+ /* reserve memory in output buffer */
+- buffer_reserve(&vs->zrle.zlib, vs->zrle.zrle.offset + 64);
++ buffer_reserve(&vs->zrle->zlib, vs->zrle->zrle.offset + 64);
+
+ /* set pointers */
+- zstream->next_in = vs->zrle.zrle.buffer;
+- zstream->avail_in = vs->zrle.zrle.offset;
+- zstream->next_out = vs->zrle.zlib.buffer + vs->zrle.zlib.offset;
+- zstream->avail_out = vs->zrle.zlib.capacity - vs->zrle.zlib.offset;
++ zstream->next_in = vs->zrle->zrle.buffer;
++ zstream->avail_in = vs->zrle->zrle.offset;
++ zstream->next_out = vs->zrle->zlib.buffer + vs->zrle->zlib.offset;
++ zstream->avail_out = vs->zrle->zlib.capacity - vs->zrle->zlib.offset;
+ zstream->data_type = Z_BINARY;
+
+ /* start encoding */
+@@ -108,8 +108,8 @@ static int zrle_compress_data(VncState *vs, int level)
+ return -1;
+ }
+
+- vs->zrle.zlib.offset = vs->zrle.zlib.capacity - zstream->avail_out;
+- return vs->zrle.zlib.offset;
++ vs->zrle->zlib.offset = vs->zrle->zlib.capacity - zstream->avail_out;
++ return vs->zrle->zlib.offset;
+ }
+
+ /* Try to work out whether to use RLE and/or a palette. We do this by
+@@ -259,14 +259,14 @@ static int zrle_send_framebuffer_update(VncState *vs, int x, int y,
+ size_t bytes;
+ int zywrle_level;
+
+- if (vs->zrle.type == VNC_ENCODING_ZYWRLE) {
+- if (!vs->vd->lossy || vs->tight.quality == (uint8_t)-1
+- || vs->tight.quality == 9) {
++ if (vs->zrle->type == VNC_ENCODING_ZYWRLE) {
++ if (!vs->vd->lossy || vs->tight->quality == (uint8_t)-1
++ || vs->tight->quality == 9) {
+ zywrle_level = 0;
+- vs->zrle.type = VNC_ENCODING_ZRLE;
+- } else if (vs->tight.quality < 3) {
++ vs->zrle->type = VNC_ENCODING_ZRLE;
++ } else if (vs->tight->quality < 3) {
+ zywrle_level = 3;
+- } else if (vs->tight.quality < 6) {
++ } else if (vs->tight->quality < 6) {
+ zywrle_level = 2;
+ } else {
+ zywrle_level = 1;
+@@ -337,30 +337,30 @@ static int zrle_send_framebuffer_update(VncState *vs, int x, int y,
+
+ vnc_zrle_stop(vs);
+ bytes = zrle_compress_data(vs, Z_DEFAULT_COMPRESSION);
+- vnc_framebuffer_update(vs, x, y, w, h, vs->zrle.type);
++ vnc_framebuffer_update(vs, x, y, w, h, vs->zrle->type);
+ vnc_write_u32(vs, bytes);
+- vnc_write(vs, vs->zrle.zlib.buffer, vs->zrle.zlib.offset);
++ vnc_write(vs, vs->zrle->zlib.buffer, vs->zrle->zlib.offset);
+ return 1;
+ }
+
+ int vnc_zrle_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
+ {
+- vs->zrle.type = VNC_ENCODING_ZRLE;
++ vs->zrle->type = VNC_ENCODING_ZRLE;
+ return zrle_send_framebuffer_update(vs, x, y, w, h);
+ }
+
+ int vnc_zywrle_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
+ {
+- vs->zrle.type = VNC_ENCODING_ZYWRLE;
++ vs->zrle->type = VNC_ENCODING_ZYWRLE;
+ return zrle_send_framebuffer_update(vs, x, y, w, h);
+ }
+
+ void vnc_zrle_clear(VncState *vs)
+ {
+- if (vs->zrle.stream.opaque) {
+- deflateEnd(&vs->zrle.stream);
++ if (vs->zrle->stream.opaque) {
++ deflateEnd(&vs->zrle->stream);
+ }
+- buffer_free(&vs->zrle.zrle);
+- buffer_free(&vs->zrle.fb);
+- buffer_free(&vs->zrle.zlib);
++ buffer_free(&vs->zrle->zrle);
++ buffer_free(&vs->zrle->fb);
++ buffer_free(&vs->zrle->zlib);
+ }
+diff --git a/ui/vnc.c b/ui/vnc.c
+index dbbc76e..d13e7e2 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -1297,6 +1297,8 @@ void vnc_disconnect_finish(VncState *vs)
+ object_unref(OBJECT(vs->sioc));
+ vs->sioc = NULL;
+ vs->magic = 0;
++ g_free(vs->zrle);
++ g_free(vs->tight);
+ g_free(vs);
+ }
+
+@@ -2106,8 +2108,8 @@ static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
+
+ vs->features = 0;
+ vs->vnc_encoding = 0;
+- vs->tight.compression = 9;
+- vs->tight.quality = -1; /* Lossless by default */
++ vs->tight->compression = 9;
++ vs->tight->quality = -1; /* Lossless by default */
+ vs->absolute = -1;
+
+ /*
+@@ -2175,11 +2177,11 @@ static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
+ vs->features |= VNC_FEATURE_LED_STATE_MASK;
+ break;
+ case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9:
+- vs->tight.compression = (enc & 0x0F);
++ vs->tight->compression = (enc & 0x0F);
+ break;
+ case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9:
+ if (vs->vd->lossy) {
+- vs->tight.quality = (enc & 0x0F);
++ vs->tight->quality = (enc & 0x0F);
+ }
+ break;
+ default:
+@@ -3089,6 +3091,8 @@ static void vnc_connect(VncDisplay *vd, QIOChannelSocket *sioc,
+ int i;
+
+ trace_vnc_client_connect(vs, sioc);
++ vs->zrle = g_new0(VncZrle, 1);
++ vs->tight = g_new0(VncTight, 1);
+ vs->magic = VNC_MAGIC;
+ vs->sioc = sioc;
+ object_ref(OBJECT(vs->sioc));
+@@ -3100,19 +3104,19 @@ static void vnc_connect(VncDisplay *vd, QIOChannelSocket *sioc,
+ buffer_init(&vs->output, "vnc-output/%p", sioc);
+ buffer_init(&vs->jobs_buffer, "vnc-jobs_buffer/%p", sioc);
+
+- buffer_init(&vs->tight.tight, "vnc-tight/%p", sioc);
+- buffer_init(&vs->tight.zlib, "vnc-tight-zlib/%p", sioc);
+- buffer_init(&vs->tight.gradient, "vnc-tight-gradient/%p", sioc);
++ buffer_init(&vs->tight->tight, "vnc-tight/%p", sioc);
++ buffer_init(&vs->tight->zlib, "vnc-tight-zlib/%p", sioc);
++ buffer_init(&vs->tight->gradient, "vnc-tight-gradient/%p", sioc);
+ #ifdef CONFIG_VNC_JPEG
+- buffer_init(&vs->tight.jpeg, "vnc-tight-jpeg/%p", sioc);
++ buffer_init(&vs->tight->jpeg, "vnc-tight-jpeg/%p", sioc);
+ #endif
+ #ifdef CONFIG_VNC_PNG
+- buffer_init(&vs->tight.png, "vnc-tight-png/%p", sioc);
++ buffer_init(&vs->tight->png, "vnc-tight-png/%p", sioc);
+ #endif
+ buffer_init(&vs->zlib.zlib, "vnc-zlib/%p", sioc);
+- buffer_init(&vs->zrle.zrle, "vnc-zrle/%p", sioc);
+- buffer_init(&vs->zrle.fb, "vnc-zrle-fb/%p", sioc);
+- buffer_init(&vs->zrle.zlib, "vnc-zrle-zlib/%p", sioc);
++ buffer_init(&vs->zrle->zrle, "vnc-zrle/%p", sioc);
++ buffer_init(&vs->zrle->fb, "vnc-zrle-fb/%p", sioc);
++ buffer_init(&vs->zrle->zlib, "vnc-zrle-zlib/%p", sioc);
+
+ if (skipauth) {
+ vs->auth = VNC_AUTH_NONE;
+diff --git a/ui/vnc.h b/ui/vnc.h
+index 7626329..8d9687c 100644
+--- a/ui/vnc.h
++++ b/ui/vnc.h
+@@ -335,10 +335,10 @@ struct VncState
+ /* Encoding specific, if you add something here, don't forget to
+ * update vnc_async_encoding_start()
+ */
+- VncTight tight;
++ VncTight *tight;
+ VncZlib zlib;
+ VncHextile hextile;
+- VncZrle zrle;
++ VncZrle *zrle;
+ VncZywrle zywrle;
+
+ Notifier mouse_mode_notifier;
+--
+1.8.3.1
+
diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec
index 90638d7..66e0eff 100644
--- a/SPECS/qemu-kvm.spec
+++ b/SPECS/qemu-kvm.spec
@@ -67,7 +67,7 @@ Obsoletes: %1-rhev
Summary: QEMU is a machine emulator and virtualizer
Name: qemu-kvm
Version: 2.12.0
-Release: 99%{?dist}
+Release: 99%{?dist}.2
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 15
License: GPLv2 and GPLv2+ and CC-BY
@@ -1876,6 +1876,22 @@ Patch918: kvm-virtio-net-delete-also-control-queue-when-TX-RX-dele.patch
Patch919: kvm-slirp-disable-tcp_emu.patch
# For bz#1790308 - qemu-kvm core dump when do L1 guest live migration with L2 guest running
Patch920: kvm-target-i386-kvm-initialize-feature-MSRs-very-early.patch
+# For bz#1834477 - CVE-2020-8608 virt:rhel/qemu-kvm: QEMU: Slirp: potential OOB access due to unsafe snprintf() usages [rhel-8.2.0.z]
+Patch921: kvm-util-add-slirp_fmt-helpers.patch
+# For bz#1834477 - CVE-2020-8608 virt:rhel/qemu-kvm: QEMU: Slirp: potential OOB access due to unsafe snprintf() usages [rhel-8.2.0.z]
+Patch922: kvm-dhcpv6-use-slirp_fmt.patch
+# For bz#1834477 - CVE-2020-8608 virt:rhel/qemu-kvm: QEMU: Slirp: potential OOB access due to unsafe snprintf() usages [rhel-8.2.0.z]
+Patch923: kvm-misc-use-slirp_fmt0.patch
+# For bz#1834477 - CVE-2020-8608 virt:rhel/qemu-kvm: QEMU: Slirp: potential OOB access due to unsafe snprintf() usages [rhel-8.2.0.z]
+Patch924: kvm-tftp-use-slirp_fmt0.patch
+# For bz#1834477 - CVE-2020-8608 virt:rhel/qemu-kvm: QEMU: Slirp: potential OOB access due to unsafe snprintf() usages [rhel-8.2.0.z]
+Patch925: kvm-tcp_ctl-use-slirp_fmt.patch
+# For bz#1834477 - CVE-2020-8608 virt:rhel/qemu-kvm: QEMU: Slirp: potential OOB access due to unsafe snprintf() usages [rhel-8.2.0.z]
+Patch926: kvm-tcp_emu-fix-unsafe-snprintf-usages.patch
+# For bz#1816763 - CVE-2019-20382 virt:rhel/qemu-kvm: QEMU: vnc: memory leakage upon disconnect [rhel-8]
+Patch927: kvm-vnc-add-magic-cookie-to-VncState.patch
+# For bz#1816763 - CVE-2019-20382 virt:rhel/qemu-kvm: QEMU: vnc: memory leakage upon disconnect [rhel-8]
+Patch928: kvm-vnc-fix-memory-leak-when-vnc-disconnect.patch
BuildRequires: zlib-devel
BuildRequires: glib2-devel
@@ -2762,6 +2778,22 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
%changelog
+* Mon Jun 01 2020 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 2.12.0-99.el8_2.2
+- kvm-vnc-add-magic-cookie-to-VncState.patch [bz#1816763]
+- kvm-vnc-fix-memory-leak-when-vnc-disconnect.patch [bz#1816763]
+- Resolves: bz#1816763
+ (CVE-2019-20382 virt:rhel/qemu-kvm: QEMU: vnc: memory leakage upon disconnect [rhel-8])
+
+* Tue May 26 2020 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 2.12.0-99.el8.1
+- kvm-util-add-slirp_fmt-helpers.patch [bz#1834477]
+- kvm-dhcpv6-use-slirp_fmt.patch [bz#1834477]
+- kvm-misc-use-slirp_fmt0.patch [bz#1834477]
+- kvm-tftp-use-slirp_fmt0.patch [bz#1834477]
+- kvm-tcp_ctl-use-slirp_fmt.patch [bz#1834477]
+- kvm-tcp_emu-fix-unsafe-snprintf-usages.patch [bz#1834477]
+- Resolves: bz#1834477
+ (CVE-2020-8608 virt:rhel/qemu-kvm: QEMU: Slirp: potential OOB access due to unsafe snprintf() usages [rhel-8.2.0.z])
+
* Fri Feb 21 2020 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 2.12.0-99.el8
- kvm-slirp-disable-tcp_emu.patch [bz#1791677]
- kvm-target-i386-kvm-initialize-feature-MSRs-very-early.patch [bz#1790308]