summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--libvncclient/rfbproto.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
index 4541e0d..8792dbf 100644
--- a/libvncclient/rfbproto.c
+++ b/libvncclient/rfbproto.c
@@ -2217,6 +2217,11 @@ HandleRFBServerMessage(rfbClient* client)
msg.sct.length = rfbClientSwap32IfLE(msg.sct.length);
+ if (msg.sct.length > 1<<20) {
+ rfbClientErr("Ignoring too big cut text length sent by server: %u B > 1 MB\n", (unsigned int)msg.sct.length);
+ return FALSE;
+ }
+
buffer = malloc((uint64_t)msg.sct.length+1);
if (!ReadFromRFBServer(client, buffer, msg.sct.length)) {