summaryrefslogtreecommitdiffstats
path: root/common
diff options
context:
space:
mode:
authorPierre Ossman <ossman@cendio.se>2009-03-20 15:55:37 +0000
committerPierre Ossman <ossman@cendio.se>2009-03-20 15:55:37 +0000
commitd9a59ba3060fc6f4f2b347bba41fa1881a111618 (patch)
tree7b13fd9dbda79692680174b1037a6eb0c42b8a63 /common
parentcd13bf677c6dbde85df6267dfae35707e048c2c7 (diff)
downloadtigervnc-d9a59ba3060fc6f4f2b347bba41fa1881a111618.tar.gz
tigervnc-d9a59ba3060fc6f4f2b347bba41fa1881a111618.zip
Make the server a little less DoS:able by validating update regions.
git-svn-id: svn://svn.code.sf.net/p/tigervnc/code/trunk@3701 3789f03b-4d11-0410-bbf8-ca57d06f2519
Diffstat (limited to 'common')
-rw-r--r--common/rfb/VNCSConnectionST.cxx13
1 files changed, 13 insertions, 0 deletions
diff --git a/common/rfb/VNCSConnectionST.cxx b/common/rfb/VNCSConnectionST.cxx
index 3b4448b4..58ec8aa8 100644
--- a/common/rfb/VNCSConnectionST.cxx
+++ b/common/rfb/VNCSConnectionST.cxx
@@ -484,6 +484,14 @@ void VNCSConnectionST::framebufferUpdateRequest(const Rect& r,bool incremental)
SConnection::framebufferUpdateRequest(r, incremental);
+ // Check that the client isn't sending crappy requests
+ if (!r.enclosed_by(Rect(0, 0, cp.width, cp.height))) {
+ vlog.error("FramebufferUpdateRequest %dx%d at %d,%d exceeds framebuffer %dx%d",
+ r.width(), r.height(), r.tl.x, r.tl.y, cp.width, cp.height);
+ // We crop the size later in writeFramebufferUpdate() so no need to
+ // do so now.
+ }
+
// Just update the requested region.
// Framebuffer update will be sent a bit later, see processMessages().
Region reqRgn(r);
@@ -561,6 +569,11 @@ void VNCSConnectionST::writeSetCursorCallback()
void VNCSConnectionST::writeFramebufferUpdate()
{
+ // The framebuffer might have changed size since the
+ // FramebufferUpdateRequest message was received. Clip it to the current
+ // size of the framebuffer.
+ requested = requested.intersect(Region(Rect(0, 0, cp.width, cp.height)));
+
if (state() != RFBSTATE_NORMAL || requested.is_empty()) return;
updates.enable_copyrect(cp.useCopyRect);