|
 |
cbc7f1 |
From 54220248886b5001fbbb9fa73c4e1a2cb9413fed Mon Sep 17 00:00:00 2001
|
|
|
cbc7f1 |
From: Christian Beier <dontmind@freeshell.org>
|
|
|
cbc7f1 |
Date: Sun, 17 Nov 2019 17:18:35 +0100
|
|
|
cbc7f1 |
Subject: [PATCH] libvncclient/cursor: limit width/height input values
|
|
|
cbc7f1 |
MIME-Version: 1.0
|
|
|
cbc7f1 |
Content-Type: text/plain; charset=UTF-8
|
|
|
cbc7f1 |
Content-Transfer-Encoding: 8bit
|
|
|
cbc7f1 |
|
|
|
cbc7f1 |
Avoids a possible heap overflow reported by Pavel Cheremushkin
|
|
|
cbc7f1 |
<Pavel.Cheremushkin@kaspersky.com>.
|
|
|
cbc7f1 |
|
|
|
cbc7f1 |
re #275
|
|
|
cbc7f1 |
|
|
|
cbc7f1 |
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
|
|
cbc7f1 |
---
|
|
|
cbc7f1 |
libvncclient/cursor.c | 5 +++++
|
|
|
cbc7f1 |
1 file changed, 5 insertions(+)
|
|
|
cbc7f1 |
|
|
|
cbc7f1 |
diff --git a/libvncclient/cursor.c b/libvncclient/cursor.c
|
|
|
cbc7f1 |
index 67f45726..40ffb3b0 100644
|
|
|
cbc7f1 |
--- a/libvncclient/cursor.c
|
|
|
cbc7f1 |
+++ b/libvncclient/cursor.c
|
|
|
cbc7f1 |
@@ -28,6 +28,8 @@
|
|
|
cbc7f1 |
#define OPER_SAVE 0
|
|
|
cbc7f1 |
#define OPER_RESTORE 1
|
|
|
cbc7f1 |
|
|
|
cbc7f1 |
+#define MAX_CURSOR_SIZE 1024
|
|
|
cbc7f1 |
+
|
|
|
cbc7f1 |
#define RGB24_TO_PIXEL(bpp,r,g,b) \
|
|
|
cbc7f1 |
((((uint##bpp##_t)(r) & 0xFF) * client->format.redMax + 127) / 255 \
|
|
|
cbc7f1 |
<< client->format.redShift | \
|
|
|
cbc7f1 |
@@ -54,6 +56,9 @@ rfbBool HandleCursorShape(rfbClient* client,int xhot, int yhot, int width, int h
|
|
|
cbc7f1 |
if (width * height == 0)
|
|
|
cbc7f1 |
return TRUE;
|
|
|
cbc7f1 |
|
|
|
cbc7f1 |
+ if (width >= MAX_CURSOR_SIZE || height >= MAX_CURSOR_SIZE)
|
|
|
cbc7f1 |
+ return FALSE;
|
|
|
cbc7f1 |
+
|
|
|
cbc7f1 |
/* Allocate memory for pixel data and temporary mask data. */
|
|
|
cbc7f1 |
if(client->rcSource)
|
|
|
cbc7f1 |
free(client->rcSource);
|
|
|
cbc7f1 |
--
|
|
|
cbc7f1 |
2.21.1
|
|
|
cbc7f1 |
|