Fix buffer overflow in ModifiablePixelBuffer::fillRect.

author Michal Srb <michalsrb@gmail.com>

Fri, 13 Jan 2017 14:32:23 +0000 (16:32 +0200)

committer Pierre Ossman <ossman@cendio.se>

Wed, 18 Jan 2017 12:37:34 +0000 (13:37 +0100)
author Michal Srb <michalsrb@gmail.com>
Fri, 13 Jan 2017 14:32:23 +0000 (16:32 +0200)
committer Pierre Ossman <ossman@cendio.se>
Wed, 18 Jan 2017 12:37:34 +0000 (13:37 +0100)
diff --git a/common/rfb/PixelBuffer.cxx b/common/rfb/PixelBuffer.cxx

index 89addabcca459989f57551ac51f143d2e1a2d5cd..7f3df6cba883f6acbf8f26c541eaefd63f917a50 100644 (file)
--- a/common/rfb/PixelBuffer.cxx
+++ b/common/rfb/PixelBuffer.cxx
@@ -101,15 +101,26 @@ void ModifiablePixelBuffer::fillRect(const Rect& r, const void* pix)
    int stride;
    U8 *buf;
    int w, h, b;
+  Rect drect;
  
-  w = r.width();
-  h = r.height();
+  drect = r;
+  if (!drect.enclosed_by(getRect())) {
+    vlog.error("Destination rect %dx%d at %d,%d exceeds framebuffer %dx%d",
+               drect.width(), drect.height(), drect.tl.x, drect.tl.y, width_, height_);
+    drect = drect.intersect(getRect());
+  }
+
+  if (drect.is_empty())
+    return;
+
+  w = drect.width();
+  h = drect.height();
    b = format.bpp/8;
  
    if (h == 0)
      return;
  
-  buf = getBufferRW(r, &stride);
+  buf = getBufferRW(drect, &stride);
  
    if (b == 1) {
      while (h--) {
@@ -136,7 +147,7 @@ void ModifiablePixelBuffer::fillRect(const Rect& r, const void* pix)
      }
    }
  
-  commitBufferRW(r);
+  commitBufferRW(drect);
  }
  
  void ModifiablePixelBuffer::imageRect(const Rect& r,
author	Michal Srb <michalsrb@gmail.com>
	Fri, 13 Jan 2017 14:32:23 +0000 (16:32 +0200)
committer	Pierre Ossman <ossman@cendio.se>
	Wed, 18 Jan 2017 12:37:34 +0000 (13:37 +0100)