libvncclient/cursor: limit width/height input values

Avoids a possible heap overflow reported by Pavel Cheremushkin <Pavel.Cheremushkin@kaspersky.com>. re #275
LibVNC · Nov 17, 2019 · 5422024 · 5422024
1 parent 6073771
commit 5422024
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/libvncclient/cursor.c b/libvncclient/cursor.c
@@ -28,6 +28,8 @@
 #define OPER_SAVE     0
 #define OPER_RESTORE  1
 
+#define MAX_CURSOR_SIZE 1024
+
 #define RGB24_TO_PIXEL(bpp,r,g,b)                                       \
    ((((uint##bpp##_t)(r) & 0xFF) * client->format.redMax + 127) / 255             \
     << client->format.redShift |                                              \
@@ -54,6 +56,9 @@ rfbBool HandleCursorShape(rfbClient* client,int xhot, int yhot, int width, int h
   if (width * height == 0)
     return TRUE;
 
+  if (width >= MAX_CURSOR_SIZE || height >= MAX_CURSOR_SIZE)
+    return FALSE;
+
   /* Allocate memory for pixel data and temporary mask data. */
   if(client->rcSource)
     free(client->rcSource);