From 2a4734c66f73fb378654d379acad2328cfc9b152 Mon Sep 17 00:00:00 2001
From: Josef Gajdusek <atx@atx.name>
Date: Fri, 4 Nov 2016 12:24:08 +0100
Subject: [PATCH] hextileDecode.h: Fix buffer overflow

The hextileDecodexx functions do not properly check for out-of-bounds writes,
which allows a malicious server to overwrite parts of the stack.
---
 common/rfb/hextileDecode.h | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/common/rfb/hextileDecode.h b/common/rfb/hextileDecode.h
index 47006a04..402cd031 100644
--- a/common/rfb/hextileDecode.h
+++ b/common/rfb/hextileDecode.h
@@ -22,6 +22,7 @@
 // BPP                - 8, 16 or 32
 
 #include <rdr/InStream.h>
+#include <rfb/Exception.h>
 #include <rfb/hextileConstants.h>
 
 namespace rfb {
@@ -87,6 +88,9 @@ static void HEXTILE_DECODE (const Rect& r, rdr::InStream* is,
           int y = (xy & 15);
           int w = ((wh >> 4) & 15) + 1;
           int h = (wh & 15) + 1;
+          if (x + w > 16 || y + h > 16) {
+            throw rfb::Exception("HEXTILE_DECODE: Hextile out of bounds");
+          }
           PIXEL_T* ptr = buf + y * t.width() + x;
           int rowAdd = t.width() - w;
           while (h-- > 0) {
-- 
2.39.5