Check invalid RRE rects

author Pierre Ossman <ossman@cendio.se>

Wed, 18 Jan 2017 12:33:48 +0000 (13:33 +0100)

committer Pierre Ossman <ossman@cendio.se>

Wed, 18 Jan 2017 12:33:48 +0000 (13:33 +0100)
author Pierre Ossman <ossman@cendio.se>
Wed, 18 Jan 2017 12:33:48 +0000 (13:33 +0100)
committer Pierre Ossman <ossman@cendio.se>
Wed, 18 Jan 2017 12:33:48 +0000 (13:33 +0100)
diff --git a/common/rfb/rreDecode.h b/common/rfb/rreDecode.h

index 56defbd1bfe7f954ce70ddc2c2f0cbedd93b110f..f9fdcfc98ba668b3c030a4737cc7bd178e3dfe5b 100644 (file)
--- a/common/rfb/rreDecode.h
+++ b/common/rfb/rreDecode.h
@@ -22,6 +22,7 @@
  // BPP                - 8, 16 or 32
  
  #include <rdr/InStream.h>
+#include <rfb/Exception.h>
  
  namespace rfb {
  
@@ -49,6 +50,10 @@ void RRE_DECODE (const Rect& r, rdr::InStream* is,
      int y = is->readU16();
      int w = is->readU16();
      int h = is->readU16();
+
+    if (((x+w) > r.width()) || ((y+h) > r.height()))
+      throw Exception ("RRE decode error");
+
      pb->fillRect(pf, Rect(r.tl.x+x, r.tl.y+y, r.tl.x+x+w, r.tl.y+y+h), &pix);
    }
  }
author	Pierre Ossman <ossman@cendio.se>
	Wed, 18 Jan 2017 12:33:48 +0000 (13:33 +0100)
committer	Pierre Ossman <ossman@cendio.se>
	Wed, 18 Jan 2017 12:33:48 +0000 (13:33 +0100)