|
|
aeec89 |
diff --git a/unix/x0vncserver/Image.cxx b/unix/x0vncserver/Image.cxx
|
|
|
aeec89 |
index f998c6a..fb9dbd4 100644
|
|
|
aeec89 |
--- a/unix/x0vncserver/Image.cxx
|
|
|
aeec89 |
+++ b/unix/x0vncserver/Image.cxx
|
|
|
aeec89 |
@@ -80,6 +80,14 @@ void Image::Init(int width, int height)
|
|
|
aeec89 |
xim = XCreateImage(dpy, vis, DefaultDepth(dpy, DefaultScreen(dpy)),
|
|
|
aeec89 |
ZPixmap, 0, 0, width, height, BitmapPad(dpy), 0);
|
|
|
aeec89 |
|
|
|
aeec89 |
+ if (xim->bytes_per_line <= 0 ||
|
|
|
aeec89 |
+ xim->height <= 0 ||
|
|
|
aeec89 |
+ xim->height >= INT_MAX / xim->bytes_per_line) {
|
|
|
aeec89 |
+ vlog.error("Invalid display size");
|
|
|
aeec89 |
+ XDestroyImage(xim);
|
|
|
aeec89 |
+ exit(1);
|
|
|
aeec89 |
+ }
|
|
|
aeec89 |
+
|
|
|
aeec89 |
xim->data = (char *)malloc(xim->bytes_per_line * xim->height);
|
|
|
aeec89 |
if (xim->data == NULL) {
|
|
|
aeec89 |
vlog.error("malloc() failed");
|
|
|
aeec89 |
@@ -256,6 +264,17 @@ void ShmImage::Init(int width, int height, const XVisualInfo *vinfo)
|
|
|
aeec89 |
return;
|
|
|
aeec89 |
}
|
|
|
aeec89 |
|
|
|
aeec89 |
+ if (xim->bytes_per_line <= 0 ||
|
|
|
aeec89 |
+ xim->height <= 0 ||
|
|
|
aeec89 |
+ xim->height >= INT_MAX / xim->bytes_per_line) {
|
|
|
aeec89 |
+ vlog.error("Invalid display size");
|
|
|
aeec89 |
+ XDestroyImage(xim);
|
|
|
aeec89 |
+ xim = NULL;
|
|
|
aeec89 |
+ delete shminfo;
|
|
|
aeec89 |
+ shminfo = NULL;
|
|
|
aeec89 |
+ return;
|
|
|
aeec89 |
+ }
|
|
|
aeec89 |
+
|
|
|
aeec89 |
shminfo->shmid = shmget(IPC_PRIVATE,
|
|
|
aeec89 |
xim->bytes_per_line * xim->height,
|
|
|
aeec89 |
IPC_CREAT|0777);
|
|
|
aeec89 |
diff --git a/vncviewer/PlatformPixelBuffer.cxx b/vncviewer/PlatformPixelBuffer.cxx
|
|
|
aeec89 |
index a2b506d..9266d9f 100644
|
|
|
aeec89 |
--- a/vncviewer/PlatformPixelBuffer.cxx
|
|
|
aeec89 |
+++ b/vncviewer/PlatformPixelBuffer.cxx
|
|
|
aeec89 |
@@ -49,6 +49,15 @@ PlatformPixelBuffer::PlatformPixelBuffer(int width, int height) :
|
|
|
aeec89 |
if (!xim)
|
|
|
aeec89 |
throw rdr::Exception("XCreateImage");
|
|
|
aeec89 |
|
|
|
aeec89 |
+ if (xim->bytes_per_line <= 0 ||
|
|
|
aeec89 |
+ xim->height <= 0 ||
|
|
|
aeec89 |
+ xim->height >= INT_MAX / xim->bytes_per_line) {
|
|
|
aeec89 |
+ if (xim)
|
|
|
aeec89 |
+ XDestroyImage(xim);
|
|
|
aeec89 |
+ xim = NULL;
|
|
|
aeec89 |
+ throw rdr::Exception("Invalid display size");
|
|
|
aeec89 |
+ }
|
|
|
aeec89 |
+
|
|
|
aeec89 |
xim->data = (char*)malloc(xim->bytes_per_line * xim->height);
|
|
|
aeec89 |
if (!xim->data)
|
|
|
aeec89 |
throw rdr::Exception("malloc");
|
|
|
aeec89 |
@@ -152,6 +161,16 @@ bool PlatformPixelBuffer::setupShm()
|
|
|
aeec89 |
if (!xim)
|
|
|
aeec89 |
goto free_shminfo;
|
|
|
aeec89 |
|
|
|
aeec89 |
+ if (xim->bytes_per_line <= 0 ||
|
|
|
aeec89 |
+ xim->height <= 0 ||
|
|
|
aeec89 |
+ xim->height >= INT_MAX / xim->bytes_per_line) {
|
|
|
aeec89 |
+ XDestroyImage(xim);
|
|
|
aeec89 |
+ xim = NULL;
|
|
|
aeec89 |
+ delete shminfo;
|
|
|
aeec89 |
+ shminfo = NULL;
|
|
|
aeec89 |
+ throw rdr::Exception("Invalid display size");
|
|
|
aeec89 |
+ }
|
|
|
aeec89 |
+
|
|
|
aeec89 |
shminfo->shmid = shmget(IPC_PRIVATE,
|
|
|
aeec89 |
xim->bytes_per_line * xim->height,
|
|
|
aeec89 |
IPC_CREAT|0600);
|