blob: 5ef290129c72550bfa2e1fd0718c69f4f0c0c925 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
From 54220248886b5001fbbb9fa73c4e1a2cb9413fed Mon Sep 17 00:00:00 2001
From: Christian Beier <dontmind@freeshell.org>
Date: Sun, 17 Nov 2019 17:18:35 +0100
Subject: [PATCH] libvncclient/cursor: limit width/height input values
Avoids a possible heap overflow reported by Pavel Cheremushkin
<Pavel.Cheremushkin@kaspersky.com>.
re #275
---
libvncclient/cursor.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libvncclient/cursor.c b/libvncclient/cursor.c
index 67f4572..40ffb3b 100644
--- a/libvncclient/cursor.c
+++ b/libvncclient/cursor.c
@@ -28,6 +28,8 @@
#define OPER_SAVE 0
#define OPER_RESTORE 1
+#define MAX_CURSOR_SIZE 1024
+
#define RGB24_TO_PIXEL(bpp,r,g,b) \
((((uint##bpp##_t)(r) & 0xFF) * client->format.redMax + 127) / 255 \
<< client->format.redShift | \
@@ -54,6 +56,9 @@ rfbBool HandleCursorShape(rfbClient* client,int xhot, int yhot, int width, int h
if (width * height == 0)
return TRUE;
+ if (width >= MAX_CURSOR_SIZE || height >= MAX_CURSOR_SIZE)
+ return FALSE;
+
/* Allocate memory for pixel data and temporary mask data. */
if(client->rcSource)
free(client->rcSource);
--
2.24.1
|