aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichal Srb <michalsrb@gmail.com>2017-04-06 23:52:22 +0300
committerMichal Srb <michalsrb@gmail.com>2017-04-06 23:52:22 +0300
commitc26b4b3bd20b40ca5f1ae9477164473fbd94995d (patch)
treedba2f546ea3c02cbf1928fc77cd0a0547a1ce6f2
parent83722048ddbe3eafe41bdccca4d706e98b25103b (diff)
downloadtigervnc-c26b4b3bd20b40ca5f1ae9477164473fbd94995d.tar.gz
tigervnc-c26b4b3bd20b40ca5f1ae9477164473fbd94995d.zip
Limit size of cursor accepted by client.
Width and height of a cursor are received as U16 from network. Accepting full range of U16 values can cause integer overflows in multiple places. The worst is probably VLA in CMsgReader::readSetXCursor: rdr::U8 buf[width*height*4]; The width*height*4 can be too big to fit on stack or it can overflow into negative numbers. Both cases are undefined behaviour. Following writes to buf can overwrite other data on stack.
-rw-r--r--common/rfb/CMsgReader.cxx9
-rw-r--r--common/rfb/CMsgReader.h2
2 files changed, 11 insertions, 0 deletions
diff --git a/common/rfb/CMsgReader.cxx b/common/rfb/CMsgReader.cxx
index 7233fbd7..9abe3f24 100644
--- a/common/rfb/CMsgReader.cxx
+++ b/common/rfb/CMsgReader.cxx
@@ -202,6 +202,9 @@ void CMsgReader::readRect(const Rect& r, int encoding)
void CMsgReader::readSetXCursor(int width, int height, const Point& hotspot)
{
+ if (width > maxCursorSize || height > maxCursorSize)
+ throw Exception("Too big cursor");
+
rdr::U8 pr, pg, pb;
rdr::U8 sr, sg, sb;
int data_len = ((width+7)/8) * height;
@@ -257,6 +260,9 @@ void CMsgReader::readSetXCursor(int width, int height, const Point& hotspot)
void CMsgReader::readSetCursor(int width, int height, const Point& hotspot)
{
+ if (width > maxCursorSize || height > maxCursorSize)
+ throw Exception("Too big cursor");
+
int data_len = width * height * (handler->cp.pf().bpp/8);
int mask_len = ((width+7)/8) * height;
rdr::U8Array data(data_len);
@@ -295,6 +301,9 @@ void CMsgReader::readSetCursor(int width, int height, const Point& hotspot)
void CMsgReader::readSetCursorWithAlpha(int width, int height, const Point& hotspot)
{
+ if (width > maxCursorSize || height > maxCursorSize)
+ throw Exception("Too big cursor");
+
int encoding;
const PixelFormat rgbaPF(32, 32, false, true, 255, 255, 255, 16, 8, 0);
diff --git a/common/rfb/CMsgReader.h b/common/rfb/CMsgReader.h
index ff73414e..7b52033f 100644
--- a/common/rfb/CMsgReader.h
+++ b/common/rfb/CMsgReader.h
@@ -69,6 +69,8 @@ namespace rfb {
CMsgHandler* handler;
rdr::InStream* is;
int nUpdateRectsLeft;
+
+ static const int maxCursorSize = 256;
};
}
#endif