diff options
| author | Pierre Ossman <ossman@cendio.se> | 2017-01-18 13:33:48 +0100 |
|---|---|---|
| committer | Pierre Ossman <ossman@cendio.se> | 2017-01-18 13:33:48 +0100 |
| commit | 466de9c52e925ea784fe4ce455741b2638ee3e94 (patch) | |
| tree | 899a02b00d4103aa45bab4d6a180c853c3349f18 /common | |
| parent | 18c020124ff1b2441f714da2017f63dba50720ba (diff) | |
| download | tigervnc-466de9c52e925ea784fe4ce455741b2638ee3e94.tar.gz tigervnc-466de9c52e925ea784fe4ce455741b2638ee3e94.zip | |
Check invalid RRE rects
Diffstat (limited to 'common')
| -rw-r--r-- | common/rfb/rreDecode.h | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/common/rfb/rreDecode.h b/common/rfb/rreDecode.h index 56defbd1..f9fdcfc9 100644 --- a/common/rfb/rreDecode.h +++ b/common/rfb/rreDecode.h @@ -22,6 +22,7 @@ // BPP - 8, 16 or 32 #include <rdr/InStream.h> +#include <rfb/Exception.h> namespace rfb { @@ -49,6 +50,10 @@ void RRE_DECODE (const Rect& r, rdr::InStream* is, int y = is->readU16(); int w = is->readU16(); int h = is->readU16(); + + if (((x+w) > r.width()) || ((y+h) > r.height())) + throw Exception ("RRE decode error"); + pb->fillRect(pf, Rect(r.tl.x+x, r.tl.y+y, r.tl.x+x+w, r.tl.y+y+h), &pix); } } |