Skip to content

Commit

Permalink
LibVNCClient: fail on server-sent desktop name lengths longer than 1MB
Browse files Browse the repository at this point in the history
re #273
  • Loading branch information
bk138 committed Jan 6, 2019
1 parent 9998dee commit c2c4b81
Showing 1 changed file with 6 additions and 2 deletions.
8 changes: 6 additions & 2 deletions libvncclient/rfbproto.c
Original file line number Diff line number Diff line change
Expand Up @@ -1224,8 +1224,12 @@ InitialiseRFBConnection(rfbClient* client)
client->si.format.blueMax = rfbClientSwap16IfLE(client->si.format.blueMax);
client->si.nameLength = rfbClientSwap32IfLE(client->si.nameLength);

/* To guard against integer wrap-around, si.nameLength is cast to 64 bit */
client->desktopName = malloc((uint64_t)client->si.nameLength + 1);
if (client->si.nameLength > 1<<20) {
rfbClientErr("Too big desktop name length sent by server: %u B > 1 MB\n", (unsigned int)client->si.nameLength);
return FALSE;
}

client->desktopName = malloc(client->si.nameLength + 1);
if (!client->desktopName) {
rfbClientLog("Error allocating memory for desktop name, %lu bytes\n",
(unsigned long)client->si.nameLength);
Expand Down

0 comments on commit c2c4b81

Please sign in to comment.