Limit size of cursor accepted by client.

Width and height of a cursor are received as U16 from network. Accepting full range of U16 values can cause integer overflows in multiple places. The worst is probably VLA in CMsgReader::readSetXCursor: rdr::U8 buf[width*height*4]; The width*height*4 can be too big to fit on stack or it can overflow into negative numbers. Both cases are undefined behaviour. Following writes to buf can overwrite other data on stack.
author: Michal Srb <michalsrb@gmail.com> 2017-04-06 23:52:22 +0300
committer: Michal Srb <michalsrb@gmail.com> 2017-04-06 23:52:22 +0300
commit: c26b4b3bd20b40ca5f1ae9477164473fbd94995d (patch)
tree: dba2f546ea3c02cbf1928fc77cd0a0547a1ce6f2 /common/rfb/CMsgReader.h
parent: 83722048ddbe3eafe41bdccca4d706e98b25103b (diff)
download: tigervnc-c26b4b3bd20b40ca5f1ae9477164473fbd94995d.tar.gz
tigervnc-c26b4b3bd20b40ca5f1ae9477164473fbd94995d.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/common/rfb/CMsgReader.h b/common/rfb/CMsgReader.h
index ff73414e..7b52033f 100644
--- a/common/rfb/CMsgReader.h
+++ b/common/rfb/CMsgReader.h
@@ -69,6 +69,8 @@ namespace rfb {
     CMsgHandler* handler;
     rdr::InStream* is;
     int nUpdateRectsLeft;
+
+    static const int maxCursorSize = 256;
   };
 }
 #endif
author	Michal Srb <michalsrb@gmail.com>	2017-04-06 23:52:22 +0300
committer	Michal Srb <michalsrb@gmail.com>	2017-04-06 23:52:22 +0300
commit	c26b4b3bd20b40ca5f1ae9477164473fbd94995d (patch)
tree	dba2f546ea3c02cbf1928fc77cd0a0547a1ce6f2 /common/rfb/CMsgReader.h
parent	83722048ddbe3eafe41bdccca4d706e98b25103b (diff)
download	tigervnc-c26b4b3bd20b40ca5f1ae9477164473fbd94995d.tar.gz tigervnc-c26b4b3bd20b40ca5f1ae9477164473fbd94995d.zip