summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChristian Beier <dontmind@freeshell.org>2019-01-06 14:20:37 +0100
committerChristian Beier <dontmind@freeshell.org>2019-01-06 14:20:37 +0100
commitc2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7 (patch)
treeb83beae8b70463cad9001c42ada8cf548de0c1d5
parent9998deee9c2c633e6aa93c01fb37b46137533528 (diff)
downloadlibtdevnc-c2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7.tar.gz
libtdevnc-c2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7.zip
LibVNCClient: fail on server-sent desktop name lengths longer than 1MB
re #273
-rw-r--r--libvncclient/rfbproto.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
index e56e778..6af21a5 100644
--- a/libvncclient/rfbproto.c
+++ b/libvncclient/rfbproto.c
@@ -1224,8 +1224,12 @@ InitialiseRFBConnection(rfbClient* client)
client->si.format.blueMax = rfbClientSwap16IfLE(client->si.format.blueMax);
client->si.nameLength = rfbClientSwap32IfLE(client->si.nameLength);
- /* To guard against integer wrap-around, si.nameLength is cast to 64 bit */
- client->desktopName = malloc((uint64_t)client->si.nameLength + 1);
+ if (client->si.nameLength > 1<<20) {
+ rfbClientErr("Too big desktop name length sent by server: %u B > 1 MB\n", (unsigned int)client->si.nameLength);
+ return FALSE;
+ }
+
+ client->desktopName = malloc(client->si.nameLength + 1);
if (!client->desktopName) {
rfbClientLog("Error allocating memory for desktop name, %lu bytes\n",
(unsigned long)client->si.nameLength);