We always assumed there would be one pixel per row so a rect with
a zero width would result in us writing to unknown memory.

This could theoretically be used by a malicious server to inject
code in to the viewer process.

Issue found by Pavel Cheremushkin from Kaspersky Lab.

No one should every try to write to this buffer. Enforce that by
throwing an exception if any one tries to get a writeable pointer
to the data.

We do a lot of calculations based on pixel coordinates and we need
to make sure they do not overflow. Restrict the maximum dimensions
we support rather than try to switch over all calculations to use
64 bit integers.

This prevents attackers from from injecting code by specifying a
huge framebuffer size and relying on the values overflowing to
access invalid areas of the heap.

This primarily affects the client which gets both the screen
dimensions and the pixel contents from the remote side. But the
server might also be affected as a client can adjust the screen
dimensions, as can applications inside the session.

Issue found by Pavel Cheremushkin from Kaspersky Lab.

Don't allow subclasses to just override dimensions or buffer details
directly and instead force them to go via methods. This allows us
to do sanity checks on the new values and catch bugs and attacks.

Move the checks around to avoid missing cases where we might access
memory that is no longer valid. Also avoid touching the underlying
stream implicitly (e.g. via the destructor) as it might also no
longer be valid.

A malicious server could theoretically use this for remote code
execution in the client.

Issue found by Pavel Cheremushkin from Kaspersky Lab

Don't show the context menu hint when no hotkey is chosen

We need to examine the incoming PixelBuffer, not the previous one
(which might not even be valid).

fix test order in convertLF and convertCRLF

We need to check the buffer length before accessing the incoming
string. Probably not a problem in practice as there should be a
final null in most incoming strings.

Issue found by Pavel Cheremushkin from Kaspersky Lab.

They have very different purpose, so make things easier to work
with by having multiple directories.

Window hooks aren't working well on modern systems so switch the
default to polling until we can fix things.

The new order of test avoid ready invalid memory address in ca.buf

Do not return returncode indicating error when listing sessions

Implements support in both client and server for the extended
clipboard format first seen in UltraVNC. Currently only implements
text handling, but that is still an improvement as it extends the
clipboard from ISO 8859-1 to full Unicode.

In prepartion for better clipboard extensions that can send Unicode
data between the client and server.

Change the internal clipboard API to use a request based model in
order to be prepared for more advanced clipboard transfers.

We convert between UTF-8 and ISO 8859-1 (latin 1) in several places
so create some common routines for this.

We now filter incoming data, which means we can start assuming the
clipboard data is always null terminated. This allows us to clean
up a lot of the internal handling.

This is required by the protocol so we should make sure it is
enforced. We are tolerant of clients that violate this though and
convert incoming clipboard data.

It was unused and added complexity and bugs to the code. So let's
remove it rather than trying to clean up a function no one needed.

Makes it easier to see what is overloaded and what isn't.

We're usually white listed, but let's be a good citizen and formally
request the keyboard grab ability from the compositor.

We will log the exception, so avoid direct writes to stderr by
simply removing these log lines.