Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Fix buffer overflow in ModifiablePixelBuffer::fillRect. #399
LibVNC had security bug and the reproducer can trigger similar kind of security bug in vncviewer as well:
Malicious VNC server can send RRE message with subrectangle which is out of the framebuffer rectangle. Vncviewer then fills this rectangle and writes into random memory.
I wasn't sure at what level should the test whether the subrectangle is inside framebuffer be. I've added it to
A good start. We should probably add more checks at other layers as well though. If nothing else to get better error messages.
And I don't see why we don't just completely fail things at this point, as these are invalid requests. I'll do some follow up commits.
Thanks for the report and patch.