Skip to content

Commit 0cf1400

Browse files
committed
fix crash because of unaligned accesses in hybiReadAndDecode()
1 parent 3b3a5c4 commit 0cf1400

File tree

1 file changed

+4
-3
lines changed

1 file changed

+4
-3
lines changed

Diff for: libvncserver/ws_decode.c

+4-3
Original file line numberDiff line numberDiff line change
@@ -327,7 +327,6 @@ hybiReadAndDecode(ws_ctx_t *wsctx, char *dst, int len, int *sockRet, int nInBuf)
327327
int bufsize;
328328
int nextRead;
329329
unsigned char *data;
330-
uint32_t *data32;
331330

332331
/* if data was carried over, copy to start of buffer */
333332
memcpy(wsctx->writePos, wsctx->carryBuf, wsctx->carrylen);
@@ -383,10 +382,12 @@ hybiReadAndDecode(ws_ctx_t *wsctx, char *dst, int len, int *sockRet, int nInBuf)
383382
/* for a possible base64 decoding, we decode multiples of 4 bytes until
384383
* the whole frame is received and carry over any remaining bytes in the carry buf*/
385384
data = (unsigned char *)(wsctx->writePos - toDecode);
386-
data32= (uint32_t *)data;
387385

388386
for (i = 0; i < (toDecode >> 2); i++) {
389-
data32[i] ^= wsctx->header.mask.u;
387+
uint32_t tmp;
388+
memcpy(&tmp, data + i * sizeof(tmp), sizeof(tmp));
389+
tmp ^= wsctx->header.mask.u;
390+
memcpy(data + i * sizeof(tmp), &tmp, sizeof(tmp));
390391
}
391392
ws_dbg("mask decoding; i=%d toDecode=%d\n", i, toDecode);
392393

0 commit comments

Comments
 (0)