aboutsummaryrefslogtreecommitdiffstats
path: root/common/rfb/SMsgWriter.cxx
diff options
context:
space:
mode:
authorMichal Srb <michalsrb@gmail.com>2017-03-27 19:02:15 +0300
committerMichal Srb <michalsrb@gmail.com>2017-03-27 19:02:15 +0300
commitf3afa24da144409a3c3a0e35913112583d987671 (patch)
tree3318ab59e016e6e55ec1b7d3135cc3f1f960c475 /common/rfb/SMsgWriter.cxx
parent53f520567202928f908b5f94f6d143e7067a8bdd (diff)
downloadtigervnc-f3afa24da144409a3c3a0e35913112583d987671.tar.gz
tigervnc-f3afa24da144409a3c3a0e35913112583d987671.zip
Prevent double free by crafted fences.
If client sent fence with some data, followed by fence with no data (length 0), the original fence data were freed, but the pointer kept pointing at them. Sending one more fence would attempt to free them again.
Diffstat (limited to 'common/rfb/SMsgWriter.cxx')
-rw-r--r--common/rfb/SMsgWriter.cxx4
1 files changed, 3 insertions, 1 deletions
diff --git a/common/rfb/SMsgWriter.cxx b/common/rfb/SMsgWriter.cxx
index cf3264e8..bc3f4398 100644
--- a/common/rfb/SMsgWriter.cxx
+++ b/common/rfb/SMsgWriter.cxx
@@ -101,7 +101,9 @@ void SMsgWriter::writeFence(rdr::U32 flags, unsigned len, const char data[])
os->writeU32(flags);
os->writeU8(len);
- os->writeBytes(data, len);
+
+ if (len > 0)
+ os->writeBytes(data, len);
endMsg();
}