diff options
| author | Michal Srb <michalsrb@gmail.com> | 2017-01-13 16:32:23 +0200 |
|---|---|---|
| committer | Michal Srb <michalsrb@gmail.com> | 2017-01-17 16:47:50 +0200 |
| commit | 18c020124ff1b2441f714da2017f63dba50720ba (patch) | |
| tree | d7dd2287a4d329b6a2ac2c9f22823520bac515d2 | |
| parent | 0f626ad79a1259904db70f12ba1682910d9155c8 (diff) | |
| download | tigervnc-18c020124ff1b2441f714da2017f63dba50720ba.tar.gz tigervnc-18c020124ff1b2441f714da2017f63dba50720ba.zip | |
Fix buffer overflow in ModifiablePixelBuffer::fillRect.
It can be triggered by RRE message with subrectangle out of framebuffer
boundaries. It may prevent the same kind of issue caused by evil message
from another encoding too.
| -rw-r--r-- | common/rfb/PixelBuffer.cxx | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/common/rfb/PixelBuffer.cxx b/common/rfb/PixelBuffer.cxx index 89addabc..7f3df6cb 100644 --- a/common/rfb/PixelBuffer.cxx +++ b/common/rfb/PixelBuffer.cxx @@ -101,15 +101,26 @@ void ModifiablePixelBuffer::fillRect(const Rect& r, const void* pix) int stride; U8 *buf; int w, h, b; + Rect drect; - w = r.width(); - h = r.height(); + drect = r; + if (!drect.enclosed_by(getRect())) { + vlog.error("Destination rect %dx%d at %d,%d exceeds framebuffer %dx%d", + drect.width(), drect.height(), drect.tl.x, drect.tl.y, width_, height_); + drect = drect.intersect(getRect()); + } + + if (drect.is_empty()) + return; + + w = drect.width(); + h = drect.height(); b = format.bpp/8; if (h == 0) return; - buf = getBufferRW(r, &stride); + buf = getBufferRW(drect, &stride); if (b == 1) { while (h--) { @@ -136,7 +147,7 @@ void ModifiablePixelBuffer::fillRect(const Rect& r, const void* pix) } } - commitBufferRW(r); + commitBufferRW(drect); } void ModifiablePixelBuffer::imageRect(const Rect& r, |