Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixes #436

Merged
merged 2 commits into from Mar 29, 2017
Merged

Fixes #436

Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
Next
Fix crash from integer overflow in SMsgReader::readClientCutText
The length sent by client is U32, but is converted into int. If it was bigger than 0x7fffffff the resulting int is negative, it passes the check against maxCutText and later throws std::bad_alloc from CharArray which takes down the whole server.

All the Streaming API deals with lengths in ints, so we can't tell it to skip that big amount of data. And it is not realistic to expect more than 2GB of clipboard data anyway. So lets just throw rdr::Exception that will disconnect this client and keep the server alive.
  • Loading branch information
michalsrb committed Mar 27, 2017
commit bf3bdac082978ca32895a4b6a123016094905689
3 changes: 3 additions & 0 deletions common/rfb/SMsgReader.cxx
Expand Up @@ -200,6 +200,9 @@ void SMsgReader::readClientCutText()
{
is->skip(3);
int len = is->readU32();
if (len < 0) {
throw Exception("Cut text too long.");
}
if (len > maxCutText) {
is->skip(len);
vlog.error("Cut text too long (%d bytes) - ignoring", len);
Expand Down