hextileDecode.h: Fix buffer overflow The hextileDecodexx functions do not properly check for out-of-bounds writes, which allows a malicious server to overwrite parts of the stack.

commit: 2a4734c66f73fb378654d379acad2328cfc9b152 [log] [tgz]
author: Josef Gajdusek <atx@atx.name> Fri Nov 04 12:24:08 2016 +0100
committer: Josef Gajdusek <atx@atx.name> Fri Nov 04 19:21:31 2016 +0100
tree: cc8de89a486b337d85fb607905d4b7f25c2141c5
parent: 6c0181c6f7241eaa9b19417c1729af463677c434 [diff] [blame]
diff --git a/common/rfb/hextileDecode.h b/common/rfb/hextileDecode.h
index 47006a0..402cd03 100644
--- a/common/rfb/hextileDecode.h
+++ b/common/rfb/hextileDecode.h

@@ -22,6 +22,7 @@
 // BPP                - 8, 16 or 32
 
 #include <rdr/InStream.h>
+#include <rfb/Exception.h>
 #include <rfb/hextileConstants.h>
 
 namespace rfb {
@@ -87,6 +88,9 @@
           int y = (xy & 15);
           int w = ((wh >> 4) & 15) + 1;
           int h = (wh & 15) + 1;
+          if (x + w > 16 || y + h > 16) {
+            throw rfb::Exception("HEXTILE_DECODE: Hextile out of bounds");
+          }
           PIXEL_T* ptr = buf + y * t.width() + x;
           int rowAdd = t.width() - w;
           while (h-- > 0) {
commit	2a4734c66f73fb378654d379acad2328cfc9b152	[log] [tgz]
author	Josef Gajdusek <atx@atx.name>	Fri Nov 04 12:24:08 2016 +0100
committer	Josef Gajdusek <atx@atx.name>	Fri Nov 04 19:21:31 2016 +0100
tree	cc8de89a486b337d85fb607905d4b7f25c2141c5
parent	6c0181c6f7241eaa9b19417c1729af463677c434 [diff] [blame]