From 09f2f3fb6a5a163e453e5c2979054670c39694bc Mon Sep 17 00:00:00 2001 From: Christian Beier Date: Sat, 29 Sep 2018 22:07:27 +0200 Subject: [PATCH] LibVNCClient: make sure ReadFromRFBServer() does not write after buffer end in CoRRE decoding Closes #250 --- libvncclient/corre.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libvncclient/corre.c b/libvncclient/corre.c index 66e3b08..55107b1 100644 --- a/libvncclient/corre.c +++ b/libvncclient/corre.c @@ -48,7 +48,7 @@ HandleCoRREBPP (rfbClient* client, int rx, int ry, int rw, int rh) client->GotFillRect(client, rx, ry, rw, rh, pix); - if (!ReadFromRFBServer(client, client->buffer, hdr.nSubrects * (4 + (BPP / 8)))) + if (hdr.nSubrects * (4 + (BPP / 8)) > RFB_BUFFER_SIZE || !ReadFromRFBServer(client, client->buffer, hdr.nSubrects * (4 + (BPP / 8)))) return FALSE; ptr = (uint8_t *)client->buffer;