Gitiles
Code Review Sign In
gerrit.omnirom.org / android_external_tigervnc / c26b4b3bd20b40ca5f1ae9477164473fbd94995d
commitc26b4b3bd20b40ca5f1ae9477164473fbd94995d[log] [tgz]
authorMichal Srb <michalsrb@gmail.com>Thu Apr 06 23:52:22 2017 +0300
committerMichal Srb <michalsrb@gmail.com>Thu Apr 06 23:52:22 2017 +0300
treedba2f546ea3c02cbf1928fc77cd0a0547a1ce6f2
parent83722048ddbe3eafe41bdccca4d706e98b25103b [diff]
Limit size of cursor accepted by client.

Width and height of a cursor are received as U16 from network. Accepting full range of U16 values can cause integer overflows in multiple places.

The worst is probably VLA in CMsgReader::readSetXCursor:
  rdr::U8 buf[width*height*4];

The width*height*4 can be too big to fit on stack or it can overflow into negative numbers. Both cases are undefined behaviour. Following writes to buf can overwrite other data on stack.
2 files changed
tree: dba2f546ea3c02cbf1928fc77cd0a0547a1ce6f2
  1. cmake/
  2. common/
  3. contrib/
  4. doc/
  5. java/
  6. media/
  7. po/
  8. release/
  9. tests/
  10. unix/
  11. vncviewer/
  12. win/
  13. BUILDING.txt
  14. CMakeLists.txt
  15. config.h.in
  16. LICENCE.TXT
  17. README.txt