From 466de9c52e925ea784fe4ce455741b2638ee3e94 Mon Sep 17 00:00:00 2001 From: Pierre Ossman Date: Wed, 18 Jan 2017 13:33:48 +0100 Subject: [PATCH] Check invalid RRE rects --- common/rfb/rreDecode.h | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/common/rfb/rreDecode.h b/common/rfb/rreDecode.h index 56defbd1..f9fdcfc9 100644 --- a/common/rfb/rreDecode.h +++ b/common/rfb/rreDecode.h @@ -22,6 +22,7 @@ // BPP - 8, 16 or 32 #include +#include namespace rfb { @@ -49,6 +50,10 @@ void RRE_DECODE (const Rect& r, rdr::InStream* is, int y = is->readU16(); int w = is->readU16(); int h = is->readU16(); + + if (((x+w) > r.width()) || ((y+h) > r.height())) + throw Exception ("RRE decode error"); + pb->fillRect(pf, Rect(r.tl.x+x, r.tl.y+y, r.tl.x+x+w, r.tl.y+y+h), &pix); } } -- 2.39.5