Skip to content

Commit c2c4b81

Browse files
committed
LibVNCClient: fail on server-sent desktop name lengths longer than 1MB
re #273
1 parent 9998dee commit c2c4b81

File tree

1 file changed

+6
-2
lines changed

1 file changed

+6
-2
lines changed

Diff for: libvncclient/rfbproto.c

+6-2
Original file line numberDiff line numberDiff line change
@@ -1224,8 +1224,12 @@ InitialiseRFBConnection(rfbClient* client)
12241224
client->si.format.blueMax = rfbClientSwap16IfLE(client->si.format.blueMax);
12251225
client->si.nameLength = rfbClientSwap32IfLE(client->si.nameLength);
12261226

1227-
/* To guard against integer wrap-around, si.nameLength is cast to 64 bit */
1228-
client->desktopName = malloc((uint64_t)client->si.nameLength + 1);
1227+
if (client->si.nameLength > 1<<20) {
1228+
rfbClientErr("Too big desktop name length sent by server: %u B > 1 MB\n", (unsigned int)client->si.nameLength);
1229+
return FALSE;
1230+
}
1231+
1232+
client->desktopName = malloc(client->si.nameLength + 1);
12291233
if (!client->desktopName) {
12301234
rfbClientLog("Error allocating memory for desktop name, %lu bytes\n",
12311235
(unsigned long)client->si.nameLength);

0 commit comments

Comments
 (0)