LibVNCClient: fail on server-sent desktop name lengths longer than 1MB

re #273
pull/3/head
Christian Beier 6 years ago
parent 9998deee9c
commit c2c4b81e6c
No known key found for this signature in database
GPG Key ID: 421BB3B45C6067F8

@ -1224,8 +1224,12 @@ InitialiseRFBConnection(rfbClient* client)
client->si.format.blueMax = rfbClientSwap16IfLE(client->si.format.blueMax); client->si.format.blueMax = rfbClientSwap16IfLE(client->si.format.blueMax);
client->si.nameLength = rfbClientSwap32IfLE(client->si.nameLength); client->si.nameLength = rfbClientSwap32IfLE(client->si.nameLength);
/* To guard against integer wrap-around, si.nameLength is cast to 64 bit */ if (client->si.nameLength > 1<<20) {
client->desktopName = malloc((uint64_t)client->si.nameLength + 1); rfbClientErr("Too big desktop name length sent by server: %u B > 1 MB\n", (unsigned int)client->si.nameLength);
return FALSE;
}
client->desktopName = malloc(client->si.nameLength + 1);
if (!client->desktopName) { if (!client->desktopName) {
rfbClientLog("Error allocating memory for desktop name, %lu bytes\n", rfbClientLog("Error allocating memory for desktop name, %lu bytes\n",
(unsigned long)client->si.nameLength); (unsigned long)client->si.nameLength);

Loading…
Cancel
Save