Make sure clipboard uses \n line endings

This is required by the protocol so we should make sure it is enforced. We are tolerant of clients that violate this though and convert incoming clipboard data.
author: Pierre Ossman <ossman@cendio.se> 2019-05-02 12:32:03 +0200
committer: Pierre Ossman <ossman@cendio.se> 2019-07-01 10:38:35 +0200
commit: 546b2ad80a68e80a737aade06f0685cccb5e9716 (patch)
tree: 60c577e30c103c16175047ea11c2bcee2b101258 /common
parent: 2ff61a285efda80cca7f1855aca23b99149bac8c (diff)
download: tigervnc-546b2ad80a68e80a737aade06f0685cccb5e9716.tar.gz
tigervnc-546b2ad80a68e80a737aade06f0685cccb5e9716.zip
7 files changed, 74 insertions, 6 deletions
diff --git a/common/rfb/CMsgReader.cxx b/common/rfb/CMsgReader.cxx
index 2b5b9fbf..a928eb15 100644
--- a/common/rfb/CMsgReader.cxx
+++ b/common/rfb/CMsgReader.cxx
@@ -157,10 +157,10 @@ void CMsgReader::readServerCutText()
     vlog.error("cut text too long (%d bytes) - ignoring",len);
     return;
   }
-  CharArray ca(len+1);
-  ca.buf[len] = 0;
+  CharArray ca(len);
   is->readBytes(ca.buf, len);
-  handler->serverCutText(ca.buf, len);
+  CharArray filtered(convertLF(ca.buf, len));
+  handler->serverCutText(filtered.buf, strlen(filtered.buf));
 }
 
 void CMsgReader::readFence()
diff --git a/common/rfb/CMsgWriter.cxx b/common/rfb/CMsgWriter.cxx
index d357c976..fed0bd27 100644
--- a/common/rfb/CMsgWriter.cxx
+++ b/common/rfb/CMsgWriter.cxx
@@ -181,6 +181,9 @@ void CMsgWriter::writePointerEvent(const Point& pos, int buttonMask)
 
 void CMsgWriter::writeClientCutText(const char* str, rdr::U32 len)
 {
+  if (memchr(str, '\r', len) != NULL)
+    throw Exception("Invalid carriage return in clipboard data");
+
   startMsg(msgTypeClientCutText);
   os->pad(3);
   os->writeU32(len);
diff --git a/common/rfb/SMsgReader.cxx b/common/rfb/SMsgReader.cxx
index 200350c1..0c0e8b26 100644
--- a/common/rfb/SMsgReader.cxx
+++ b/common/rfb/SMsgReader.cxx
@@ -212,10 +212,10 @@ void SMsgReader::readClientCutText()
     vlog.error("Cut text too long (%d bytes) - ignoring", len);
     return;
   }
-  CharArray ca(len+1);
-  ca.buf[len] = 0;
+  CharArray ca(len);
   is->readBytes(ca.buf, len);
-  handler->clientCutText(ca.buf, len);
+  CharArray filtered(convertLF(ca.buf, len));
+  handler->clientCutText(filtered.buf, strlen(filtered.buf));
 }
 
 void SMsgReader::readQEMUMessage()
diff --git a/common/rfb/SMsgWriter.cxx b/common/rfb/SMsgWriter.cxx
index 6a2c2ba0..f0748ff2 100644
--- a/common/rfb/SMsgWriter.cxx
+++ b/common/rfb/SMsgWriter.cxx
@@ -80,6 +80,9 @@ void SMsgWriter::writeBell()
 
 void SMsgWriter::writeServerCutText(const char* str, int len)
 {
+  if (memchr(str, '\r', len) != NULL)
+    throw Exception("Invalid carriage return in clipboard data");
+
   startMsg(msgTypeServerCutText);
   os->pad(3);
   os->writeU32(len);
diff --git a/common/rfb/VNCServerST.cxx b/common/rfb/VNCServerST.cxx
index c95c14f0..7820aef5 100644
--- a/common/rfb/VNCServerST.cxx
+++ b/common/rfb/VNCServerST.cxx
@@ -342,6 +342,8 @@ void VNCServerST::bell()
 
 void VNCServerST::serverCutText(const char* str, int len)
 {
+  if (memchr(str, '\r', len) != NULL)
+    throw Exception("Invalid carriage return in clipboard data");
   std::list<VNCSConnectionST*>::iterator ci, ci_next;
   for (ci = clients.begin(); ci != clients.end(); ci = ci_next) {
     ci_next = ci; ci_next++;
diff --git a/common/rfb/util.cxx b/common/rfb/util.cxx
index f52213b3..f43a9453 100644
--- a/common/rfb/util.cxx
+++ b/common/rfb/util.cxx
@@ -1,4 +1,5 @@
 /* Copyright (C) 2002-2005 RealVNC Ltd.  All Rights Reserved.
+ * Copyright 2011-2019 Pierre Ossman for Cendio AB
  * 
  * This is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -107,6 +108,61 @@ namespace rfb {
     dest[src ? destlen-1 : 0] = 0;
   }
 
+  char* convertLF(const char* src, size_t bytes)
+  {
+    char* buffer;
+    size_t sz;
+
+    char* out;
+    const char* in;
+    size_t in_len;
+
+    // Always include space for a NULL
+    sz = 1;
+
+    // Compute output size
+    in = src;
+    in_len = bytes;
+    while ((*in != '\0') && (in_len > 0)) {
+      if (*in != '\r') {
+        sz++;
+        in++;
+        in_len--;
+        continue;
+      }
+
+      if ((in_len == 0) || (*(in+1) != '\n'))
+        sz++;
+
+      in++;
+      in_len--;
+    }
+
+    // Alloc
+    buffer = new char[sz];
+    memset(buffer, 0, sz);
+
+    // And convert
+    out = buffer;
+    in = src;
+    in_len = bytes;
+    while ((*in != '\0') && (in_len > 0)) {
+      if (*in != '\r') {
+        *out++ = *in++;
+        in_len--;
+        continue;
+      }
+
+      if ((in_len == 0) || (*(in+1) != '\n'))
+        *out++ = '\n';
+
+      in++;
+      in_len--;
+    }
+
+    return buffer;
+  }
+
   unsigned msBetween(const struct timeval *first,
                      const struct timeval *second)
   {
diff --git a/common/rfb/util.h b/common/rfb/util.h
index 9e59bd37..de096692 100644
--- a/common/rfb/util.h
+++ b/common/rfb/util.h
@@ -1,4 +1,5 @@
 /* Copyright (C) 2002-2005 RealVNC Ltd.  All Rights Reserved.
+ * Copyright 2011-2019 Pierre Ossman for Cendio AB
  * 
  * This is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -83,6 +84,9 @@ namespace rfb {
   // Copies src to dest, up to specified length-1, and guarantees termination
   void strCopy(char* dest, const char* src, int destlen);
 
+  // Makes sure line endings are in a certain format
+
+  char* convertLF(const char* src, size_t bytes = (size_t)-1);
 
   // HELPER functions for timeout handling
author	Pierre Ossman <ossman@cendio.se>	2019-05-02 12:32:03 +0200
committer	Pierre Ossman <ossman@cendio.se>	2019-07-01 10:38:35 +0200
commit	546b2ad80a68e80a737aade06f0685cccb5e9716 (patch)
tree	60c577e30c103c16175047ea11c2bcee2b101258 /common
parent	2ff61a285efda80cca7f1855aca23b99149bac8c (diff)
download	tigervnc-546b2ad80a68e80a737aade06f0685cccb5e9716.tar.gz tigervnc-546b2ad80a68e80a737aade06f0685cccb5e9716.zip