From 07008deea297c3e1183f0c9bdeb071b128ff4619 Mon Sep 17 00:00:00 2001
From: Christian Beier <dontmind@freeshell.org>
Date: Thu, 7 Jan 2010 18:58:49 +0100
Subject: [PATCH] libvncserver/font.c: add some checks to rfbDrawChar().

In some cases (bad font data) the coordinates evaluate to <0,
causing a segfault in the following memcpy().

[jes: keep the offset, but do not try to segfault]

Signed-off-by: Christian Beier <dontmind@freeshell.org>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
---
 libvncserver/font.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libvncserver/font.c b/libvncserver/font.c
index 8ba1020..a9091d2 100755
--- a/libvncserver/font.c
+++ b/libvncserver/font.c
@@ -24,7 +24,8 @@ int rfbDrawChar(rfbScreenInfoPtr rfbScreen,rfbFontDataPtr font,
 	d=*data;
 	data++;
       }
-      if(d&0x80)
+      if(d&0x80 && y+j >= 0 && y+j < rfbScreen->height &&
+          x+i >= 0 && x+i < rfbScreen->width)
 	memcpy(rfbScreen->frameBuffer+(y+j)*rowstride+(x+i)*bpp,colour,bpp);
       d<<=1;
     }