LibVNCClient: make sure ReadFromRFBServer() does not write after buffer end in CoRRE decoding

Closes #250
pull/3/head
Christian Beier 6 years ago
parent c3115350eb
commit 09f2f3fb6a
No known key found for this signature in database
GPG Key ID: 421BB3B45C6067F8

@ -48,7 +48,7 @@ HandleCoRREBPP (rfbClient* client, int rx, int ry, int rw, int rh)
client->GotFillRect(client, rx, ry, rw, rh, pix);
if (!ReadFromRFBServer(client, client->buffer, hdr.nSubrects * (4 + (BPP / 8))))
if (hdr.nSubrects * (4 + (BPP / 8)) > RFB_BUFFER_SIZE || !ReadFromRFBServer(client, client->buffer, hdr.nSubrects * (4 + (BPP / 8))))
return FALSE;
ptr = (uint8_t *)client->buffer;

Loading…
Cancel
Save