From 483dd0834167b86833ec6d756168b426ff8b4304 Mon Sep 17 00:00:00 2001
From: Christian Beier <dontmind@freeshell.org>
Date: Tue, 3 Nov 2020 13:44:14 -0600
Subject: [PATCH] libvncclient/rfbproto: limit max textchat size

Addresses GitHub Security Lab (GHSL) Vulnerability Report
`GHSL-2020-063`.

Re #275
---
 libvncclient/rfbproto.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
index 94751a22..7ba00b55 100644
--- a/libvncclient/rfbproto.c
+++ b/libvncclient/rfbproto.c
@@ -73,6 +73,8 @@
 #  define snprintf _snprintf /* MSVC went straight to the underscored syntax */
 #endif
 
+#define MAX_TEXTCHAT_SIZE 10485760 /* 10MB */
+
 /*
  * rfbClientLog prints a time-stamped message to the log file (stderr).
  */
@@ -2285,6 +2287,8 @@ HandleRFBServerMessage(rfbClient* client)
               client->HandleTextChat(client, (int)rfbTextChatFinished, NULL);
           break;
       default:
+         if(msg.tc.length > MAX_TEXTCHAT_SIZE)
+             return FALSE;
           buffer=malloc(msg.tc.length+1);
           if (!ReadFromRFBServer(client, buffer, msg.tc.length))
           {
-- 
2.28.0