Fix buffer over-reads in handle_tight

For performance reasons, the `handle_tight` function skips the use of the receive queue API and uses the raw receive queue directly. Because of the way that typed array receive queue gets reused, this introduced the potential for buffer over-reads. To address this, a new function, `rQwhole`, was introduced. `rQwhole` simply returns a new view into the receive queue that starts at 0 and ends at the current recorded end of the queue. `handle_tight` now makes use of this function. Fixes #522
novnc · Aug 26, 2015 · 89bdc8c · 89bdc8c
1 parent a369a80
commit 89bdc8c
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/include/rfb.js b/include/rfb.js
@@ -1782,8 +1782,8 @@ var RFB;
                 return dest;
             }.bind(this);
 
-            var rQ = this._sock.get_rQ();
             var rQi = this._sock.get_rQi();
+            var rQ = this._sock.rQwhole();
             var cmode, data;
             var cl_header, cl_data;
 

diff --git a/include/websock.js b/include/websock.js
@@ -154,6 +154,10 @@ function Websock() {
             this._rQi += len;
         },
 
+        rQwhole: function () {
+            return new Uint8Array(this._rQ.buffer, 0, this._rQlen);
+        },
+
         rQslice: function (start, end) {
             if (end) {
                 return new Uint8Array(this._rQ.buffer, this._rQi + start, end - start);