From: Pierre Ossman <ossman@cendio.se>
Date: Wed, 18 Jan 2017 12:33:48 +0000 (+0100)
Subject: Check invalid RRE rects
X-Git-Tag: v1.7.90~52
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=466de9c52e925ea784fe4ce455741b2638ee3e94;p=tigervnc.git

Check invalid RRE rects
---

diff --git a/common/rfb/rreDecode.h b/common/rfb/rreDecode.h
index 56defbd1..f9fdcfc9 100644
--- a/common/rfb/rreDecode.h
+++ b/common/rfb/rreDecode.h
@@ -22,6 +22,7 @@
 // BPP                - 8, 16 or 32
 
 #include <rdr/InStream.h>
+#include <rfb/Exception.h>
 
 namespace rfb {
 
@@ -49,6 +50,10 @@ void RRE_DECODE (const Rect& r, rdr::InStream* is,
     int y = is->readU16();
     int w = is->readU16();
     int h = is->readU16();
+
+    if (((x+w) > r.width()) || ((y+h) > r.height()))
+      throw Exception ("RRE decode error");
+
     pb->fillRect(pf, Rect(r.tl.x+x, r.tl.y+y, r.tl.x+x+w, r.tl.y+y+h), &pix);
   }
 }