Catch too long input string case in repeater functionality

LibVNC · Nov 17, 2019 · d1a134c · d1a134c
1 parent b299141
commit d1a134c
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/examples/repeater.c b/examples/repeater.c
@@ -24,7 +24,11 @@ int main(int argc,char** argv)
     exit(1);
   }
   memset(id, 0, sizeof(id));
-  snprintf(id, sizeof(id), "ID:%s", argv[1]);
+  if(snprintf(id, sizeof(id), "ID:%s", argv[1]) >= (int)sizeof(id)) {
+      /* truncated! */
+      fprintf(stderr, "Error, given ID is too long.\n");
+      return 1;
+  }
   repeaterHost = argv[2];
   repeaterPort = argc < 4 ? 5500 : atoi(argv[3]);
 

diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
@@ -403,7 +403,8 @@ rfbBool ConnectToRFBRepeater(rfbClient* client,const char *repeaterHost, int rep
   rfbClientLog("Connected to VNC repeater, using protocol version %d.%d\n", major, minor);
 
   memset(tmphost, 0, sizeof(tmphost));
-  snprintf(tmphost, sizeof(tmphost), "%s:%d", destHost, destPort);
+  if(snprintf(tmphost, sizeof(tmphost), "%s:%d", destHost, destPort) >= (int)sizeof(tmphost))
+    return FALSE; /* output truncated */
   if (!WriteToRFBServer(client, tmphost, sizeof(tmphost)))
     return FALSE;