[Bugfix] Use rdr::U32 type for length of strings handled by *CutText functions.
This avoids big buffer overflow when memcpy is called with "-1" argument.
git-svn-id: svn://svn.code.sf.net/p/tigervnc/code/trunk@3607 3789f03b-4d11-0410-bbf8-ca57d06f2519
diff --git a/common/rfb/CMsgHandler.cxx b/common/rfb/CMsgHandler.cxx
index bbc1176..4b33852 100644
--- a/common/rfb/CMsgHandler.cxx
+++ b/common/rfb/CMsgHandler.cxx
@@ -80,7 +80,7 @@
{
}
-void CMsgHandler::serverCutText(const char* str, int len)
+void CMsgHandler::serverCutText(const char* str, rdr::U32 len)
{
}
diff --git a/common/rfb/CMsgHandler.h b/common/rfb/CMsgHandler.h
index 6c86df0..188963a 100644
--- a/common/rfb/CMsgHandler.h
+++ b/common/rfb/CMsgHandler.h
@@ -57,7 +57,7 @@
virtual void setColourMapEntries(int firstColour, int nColours,
rdr::U16* rgbs);
virtual void bell();
- virtual void serverCutText(const char* str, int len);
+ virtual void serverCutText(const char* str, rdr::U32 len);
virtual void fillRect(const Rect& r, Pixel pix);
virtual void imageRect(const Rect& r, void* pixels);
diff --git a/common/rfb/CMsgReader.cxx b/common/rfb/CMsgReader.cxx
index 0e3d967..488f549 100644
--- a/common/rfb/CMsgReader.cxx
+++ b/common/rfb/CMsgReader.cxx
@@ -60,7 +60,7 @@
void CMsgReader::readServerCutText()
{
is->skip(3);
- int len = is->readU32();
+ rdr::U32 len = is->readU32();
if (len > 256*1024) {
is->skip(len);
fprintf(stderr,"cut text too long (%d bytes) - ignoring\n",len);
diff --git a/common/rfb/CMsgWriter.cxx b/common/rfb/CMsgWriter.cxx
index 26e0d50..8948cbd 100644
--- a/common/rfb/CMsgWriter.cxx
+++ b/common/rfb/CMsgWriter.cxx
@@ -124,7 +124,7 @@
}
-void CMsgWriter::clientCutText(const char* str, int len)
+void CMsgWriter::clientCutText(const char* str, rdr::U32 len)
{
startMsg(msgTypeClientCutText);
os->pad(3);
diff --git a/common/rfb/CMsgWriter.h b/common/rfb/CMsgWriter.h
index 19be8df..5794f91 100644
--- a/common/rfb/CMsgWriter.h
+++ b/common/rfb/CMsgWriter.h
@@ -50,7 +50,7 @@
// InputHandler implementation
virtual void keyEvent(rdr::U32 key, bool down);
virtual void pointerEvent(const Point& pos, int buttonMask);
- virtual void clientCutText(const char* str, int len);
+ virtual void clientCutText(const char* str, rdr::U32 len);
ConnParams* getConnParams() { return cp; }
rdr::OutStream* getOutStream() { return os; }
diff --git a/unix/vncviewer/DesktopWindow.cxx b/unix/vncviewer/DesktopWindow.cxx
index 657572a..8919859 100644
--- a/unix/vncviewer/DesktopWindow.cxx
+++ b/unix/vncviewer/DesktopWindow.cxx
@@ -254,7 +254,7 @@
setColourMapEntriesTimer.start(100);
}
-void DesktopWindow::serverCutText(const char* str, int len)
+void DesktopWindow::serverCutText(const char* str, rdr::U32 len)
{
if (acceptClipboard) {
newServerCutText = true;
diff --git a/unix/vncviewer/DesktopWindow.h b/unix/vncviewer/DesktopWindow.h
index a1af750..fe5ef82 100644
--- a/unix/vncviewer/DesktopWindow.h
+++ b/unix/vncviewer/DesktopWindow.h
@@ -55,7 +55,7 @@
// Methods forwarded from CConn
void setColourMapEntries(int firstColour, int nColours, rdr::U16* rgbs);
- void serverCutText(const char* str, int len);
+ void serverCutText(const char* str, rdr::U32 len);
void framebufferUpdateEnd();
void fillRect(const rfb::Rect& r, rfb::Pixel pix) {
diff --git a/win/vncviewer/CConn.cxx b/win/vncviewer/CConn.cxx
index d269748..81df866 100644
--- a/win/vncviewer/CConn.cxx
+++ b/win/vncviewer/CConn.cxx
@@ -698,7 +698,7 @@
}
void
-CConn::serverCutText(const char* str, int len) {
+CConn::serverCutText(const char* str, rdr::U32 len) {
if (!options.serverCutText) return;
window->serverCutText(str, len);
}
diff --git a/win/vncviewer/CConn.h b/win/vncviewer/CConn.h
index 29023f3..d294f9e 100644
--- a/win/vncviewer/CConn.h
+++ b/win/vncviewer/CConn.h
@@ -105,7 +105,7 @@
void setCursor(int w, int h, const Point& hotspot, void* data, void* mask);
void setName(const char* name);
void serverInit();
- void serverCutText(const char* str, int len);
+ void serverCutText(const char* str, rdr::U32 len);
void beginRect(const Rect& r, unsigned int encoding);
void endRect(const Rect& r, unsigned int encoding);
void fillRect(const Rect& r, Pixel pix);
diff --git a/win/vncviewer/DesktopWindow.cxx b/win/vncviewer/DesktopWindow.cxx
index eac2b6f..5a9fe4e 100644
--- a/win/vncviewer/DesktopWindow.cxx
+++ b/win/vncviewer/DesktopWindow.cxx
@@ -1275,7 +1275,7 @@
void
-DesktopWindow::serverCutText(const char* str, int len) {
+DesktopWindow::serverCutText(const char* str, rdr::U32 len) {
CharArray t(len+1);
memcpy(t.buf, str, len);
t.buf[len] = 0;
diff --git a/win/vncviewer/DesktopWindow.h b/win/vncviewer/DesktopWindow.h
index 4319b75..259b6b0 100644
--- a/win/vncviewer/DesktopWindow.h
+++ b/win/vncviewer/DesktopWindow.h
@@ -117,7 +117,7 @@
char* getMonitor() const;
// - Set the local clipboard
- void serverCutText(const char* str, int len);
+ void serverCutText(const char* str, rdr::U32 len);
// - Draw into the desktop buffer & update the window
void fillRect(const Rect& r, Pixel pix);