Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix buffer overflow in ModifiablePixelBuffer::fillRect.
It can be triggered by RRE message with subrectangle out of framebuffer
boundaries. It may prevent the same kind of issue caused by evil message
from another encoding too.
  • Loading branch information
michalsrb committed Jan 17, 2017
1 parent 0f626ad commit 18c0201
Showing 1 changed file with 15 additions and 4 deletions.
19 changes: 15 additions & 4 deletions common/rfb/PixelBuffer.cxx
Expand Up @@ -101,15 +101,26 @@ void ModifiablePixelBuffer::fillRect(const Rect& r, const void* pix)
int stride;
U8 *buf;
int w, h, b;
Rect drect;

w = r.width();
h = r.height();
drect = r;
if (!drect.enclosed_by(getRect())) {
vlog.error("Destination rect %dx%d at %d,%d exceeds framebuffer %dx%d",
drect.width(), drect.height(), drect.tl.x, drect.tl.y, width_, height_);
drect = drect.intersect(getRect());
}

if (drect.is_empty())
return;

w = drect.width();
h = drect.height();
b = format.bpp/8;

if (h == 0)
return;

buf = getBufferRW(r, &stride);
buf = getBufferRW(drect, &stride);

if (b == 1) {
while (h--) {
Expand All @@ -136,7 +147,7 @@ void ModifiablePixelBuffer::fillRect(const Rect& r, const void* pix)
}
}

commitBufferRW(r);
commitBufferRW(drect);
}

void ModifiablePixelBuffer::imageRect(const Rect& r,
Expand Down

0 comments on commit 18c0201

Please sign in to comment.