Error out in rfbProcessFileTransferReadBuffer if length can not be allocated

re #273
pull/3/head
Christian Beier 5 years ago
parent a64c3b37af
commit 15bb719c03
No known key found for this signature in database
GPG Key ID: 421BB3B45C6067F8

@ -1461,11 +1461,21 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl, uint32_t length)
int n=0; int n=0;
FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN("", cl, NULL); FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN("", cl, NULL);
/* /*
rfbLog("rfbProcessFileTransferReadBuffer(%dlen)\n", length); We later alloc length+1, which might wrap around on 32-bit systems if length equals
0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF
will safely be allocated since this check will never trigger and malloc() can digest length+1
without problems as length is a uint32_t.
*/ */
if(length == SIZE_MAX) {
rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length);
rfbCloseClient(cl);
return NULL;
}
if (length>0) { if (length>0) {
buffer=malloc((uint64_t)length+1); buffer=malloc((size_t)length+1);
if (buffer!=NULL) { if (buffer!=NULL) {
if ((n = rfbReadExact(cl, (char *)buffer, length)) <= 0) { if ((n = rfbReadExact(cl, (char *)buffer, length)) <= 0) {
if (n != 0) if (n != 0)

Loading…
Cancel
Save