| 12345678910111213141516171819202122232425262728293031323334353637383940 |
- From 54220248886b5001fbbb9fa73c4e1a2cb9413fed Mon Sep 17 00:00:00 2001
- From: Christian Beier <dontmind@freeshell.org>
- Date: Sun, 17 Nov 2019 17:18:35 +0100
- Subject: [PATCH] libvncclient/cursor: limit width/height input values
- Avoids a possible heap overflow reported by Pavel Cheremushkin
- <Pavel.Cheremushkin@kaspersky.com>.
- re #275
- Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
- [Retrieved from:
- https://github.com/LibVNC/libvncserver/commit/54220248886b5001fbbb9fa73c4e1a2cb9413fed]
- ---
- libvncclient/cursor.c | 5 +++++
- 1 file changed, 5 insertions(+)
- diff --git a/libvncclient/cursor.c b/libvncclient/cursor.c
- index 67f45726..40ffb3b0 100644
- --- a/libvncclient/cursor.c
- +++ b/libvncclient/cursor.c
- @@ -28,6 +28,8 @@
- #define OPER_SAVE 0
- #define OPER_RESTORE 1
-
- +#define MAX_CURSOR_SIZE 1024
- +
- #define RGB24_TO_PIXEL(bpp,r,g,b) \
- ((((uint##bpp##_t)(r) & 0xFF) * client->format.redMax + 127) / 255 \
- << client->format.redShift | \
- @@ -54,6 +56,9 @@ rfbBool HandleCursorShape(rfbClient* client,int xhot, int yhot, int width, int h
- if (width * height == 0)
- return TRUE;
-
- + if (width >= MAX_CURSOR_SIZE || height >= MAX_CURSOR_SIZE)
- + return FALSE;
- +
- /* Allocate memory for pixel data and temporary mask data. */
- if(client->rcSource)
- free(client->rcSource);
|
