diff options
| author | Michal Srb <michalsrb@gmail.com> | 2017-01-13 16:32:23 +0200 |
|---|---|---|
| committer | Pierre Ossman <ossman@cendio.se> | 2017-01-18 13:37:34 +0100 |
| commit | 6c39c0cb0191e1ca4fe209450bbe6297f047ce87 (patch) | |
| tree | d1b4499d2df252ca0f358395899c25e26e1da4e2 | |
| parent | e25272fc74ef09987ccaa33b9bf1736397c76fdf (diff) | |
| download | tigervnc-6c39c0cb0191e1ca4fe209450bbe6297f047ce87.tar.gz tigervnc-6c39c0cb0191e1ca4fe209450bbe6297f047ce87.zip | |
Fix buffer overflow in ModifiablePixelBuffer::fillRect.
It can be triggered by RRE message with subrectangle out of framebuffer
boundaries. It may prevent the same kind of issue caused by evil message
from another encoding too.
(cherry picked from commit 18c020124ff1b2441f714da2017f63dba50720ba)
| -rw-r--r-- | common/rfb/PixelBuffer.cxx | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/common/rfb/PixelBuffer.cxx b/common/rfb/PixelBuffer.cxx index 89addabc..7f3df6cb 100644 --- a/common/rfb/PixelBuffer.cxx +++ b/common/rfb/PixelBuffer.cxx @@ -101,15 +101,26 @@ void ModifiablePixelBuffer::fillRect(const Rect& r, const void* pix) int stride; U8 *buf; int w, h, b; + Rect drect; - w = r.width(); - h = r.height(); + drect = r; + if (!drect.enclosed_by(getRect())) { + vlog.error("Destination rect %dx%d at %d,%d exceeds framebuffer %dx%d", + drect.width(), drect.height(), drect.tl.x, drect.tl.y, width_, height_); + drect = drect.intersect(getRect()); + } + + if (drect.is_empty()) + return; + + w = drect.width(); + h = drect.height(); b = format.bpp/8; if (h == 0) return; - buf = getBufferRW(r, &stride); + buf = getBufferRW(drect, &stride); if (b == 1) { while (h--) { @@ -136,7 +147,7 @@ void ModifiablePixelBuffer::fillRect(const Rect& r, const void* pix) } } - commitBufferRW(r); + commitBufferRW(drect); } void ModifiablePixelBuffer::imageRect(const Rect& r, |