hextileDecode.h: Fix buffer overflow

The hextileDecodexx functions do not properly check for out-of-bounds writes, which allows a malicious server to overwrite parts of the stack.
author: Josef Gajdusek <atx@atx.name> 2016-11-04 12:24:08 +0100
committer: Josef Gajdusek <atx@atx.name> 2016-11-04 19:21:31 +0100
commit: 2a4734c66f73fb378654d379acad2328cfc9b152 (patch)
tree: cc8de89a486b337d85fb607905d4b7f25c2141c5 /common
parent: 6c0181c6f7241eaa9b19417c1729af463677c434 (diff)
download: tigervnc-2a4734c66f73fb378654d379acad2328cfc9b152.tar.gz
tigervnc-2a4734c66f73fb378654d379acad2328cfc9b152.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/common/rfb/hextileDecode.h b/common/rfb/hextileDecode.h
index 47006a04..402cd031 100644
--- a/common/rfb/hextileDecode.h
+++ b/common/rfb/hextileDecode.h
@@ -22,6 +22,7 @@
 // BPP                - 8, 16 or 32
 
 #include <rdr/InStream.h>
+#include <rfb/Exception.h>
 #include <rfb/hextileConstants.h>
 
 namespace rfb {
@@ -87,6 +88,9 @@ static void HEXTILE_DECODE (const Rect& r, rdr::InStream* is,
           int y = (xy & 15);
           int w = ((wh >> 4) & 15) + 1;
           int h = (wh & 15) + 1;
+          if (x + w > 16 || y + h > 16) {
+            throw rfb::Exception("HEXTILE_DECODE: Hextile out of bounds");
+          }
           PIXEL_T* ptr = buf + y * t.width() + x;
           int rowAdd = t.width() - w;
           while (h-- > 0) {
author	Josef Gajdusek <atx@atx.name>	2016-11-04 12:24:08 +0100
committer	Josef Gajdusek <atx@atx.name>	2016-11-04 19:21:31 +0100
commit	2a4734c66f73fb378654d379acad2328cfc9b152 (patch)
tree	cc8de89a486b337d85fb607905d4b7f25c2141c5 /common
parent	6c0181c6f7241eaa9b19417c1729af463677c434 (diff)
download	tigervnc-2a4734c66f73fb378654d379acad2328cfc9b152.tar.gz tigervnc-2a4734c66f73fb378654d379acad2328cfc9b152.zip