diff options
| author | Christian Beier <dontmind@freeshell.org> | 2018-09-29 22:07:27 +0200 |
|---|---|---|
| committer | Christian Beier <dontmind@freeshell.org> | 2018-09-29 22:07:27 +0200 |
| commit | 09f2f3fb6a5a163e453e5c2979054670c39694bc (patch) | |
| tree | 56e74f40fa81c64fcf1d15eb5a36aab8506c0c03 | |
| parent | c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c (diff) | |
| download | libtdevnc-09f2f3fb.tar.gz libtdevnc-09f2f3fb.zip | |
LibVNCClient: make sure ReadFromRFBServer() does not write after buffer end in CoRRE decoding
Closes #250
| -rw-r--r-- | libvncclient/corre.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/libvncclient/corre.c b/libvncclient/corre.c index 66e3b08..55107b1 100644 --- a/libvncclient/corre.c +++ b/libvncclient/corre.c @@ -48,7 +48,7 @@ HandleCoRREBPP (rfbClient* client, int rx, int ry, int rw, int rh) client->GotFillRect(client, rx, ry, rw, rh, pix); - if (!ReadFromRFBServer(client, client->buffer, hdr.nSubrects * (4 + (BPP / 8)))) + if (hdr.nSubrects * (4 + (BPP / 8)) > RFB_BUFFER_SIZE || !ReadFromRFBServer(client, client->buffer, hdr.nSubrects * (4 + (BPP / 8)))) return FALSE; ptr = (uint8_t *)client->buffer; |