From 7b1ef0ffc4815cab9a96c7278394152bdc89dc4d Mon Sep 17 00:00:00 2001 From: Christian Beier Date: Thu, 4 Oct 2018 22:27:39 +0200 Subject: [PATCH] LibVNCClient: really fix #250 --- libvncclient/corre.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libvncclient/corre.c b/libvncclient/corre.c index 55107b1..cbc986a 100644 --- a/libvncclient/corre.c +++ b/libvncclient/corre.c @@ -48,7 +48,7 @@ HandleCoRREBPP (rfbClient* client, int rx, int ry, int rw, int rh) client->GotFillRect(client, rx, ry, rw, rh, pix); - if (hdr.nSubrects * (4 + (BPP / 8)) > RFB_BUFFER_SIZE || !ReadFromRFBServer(client, client->buffer, hdr.nSubrects * (4 + (BPP / 8)))) + if (hdr.nSubrects > RFB_BUFFER_SIZE / (4 + (BPP / 8)) || !ReadFromRFBServer(client, client->buffer, hdr.nSubrects * (4 + (BPP / 8)))) return FALSE; ptr = (uint8_t *)client->buffer;