diff options
| author | Adam Tkac <atkac@redhat.com> | 2009-02-13 12:42:05 +0000 |
|---|---|---|
| committer | Adam Tkac <atkac@redhat.com> | 2009-02-13 12:42:05 +0000 |
| commit | acf6c6b9accec6de7076e3e4931265126ef510e8 (patch) | |
| tree | 361e711dd8bd17969fd2102026eae4940ba350c2 /common | |
| parent | 48df274707abbe41848428f9d1e7670db0d065ca (diff) | |
| download | tigervnc-acf6c6b9accec6de7076e3e4931265126ef510e8.tar.gz tigervnc-acf6c6b9accec6de7076e3e4931265126ef510e8.zip | |
[Bugfix] Use rdr::U32 type for length of strings handled by *CutText functions.
This avoids big buffer overflow when memcpy is called with "-1" argument.
git-svn-id: svn://svn.code.sf.net/p/tigervnc/code/trunk@3607 3789f03b-4d11-0410-bbf8-ca57d06f2519
Diffstat (limited to 'common')
| -rw-r--r-- | common/rfb/CMsgHandler.cxx | 2 | ||||
| -rw-r--r-- | common/rfb/CMsgHandler.h | 2 | ||||
| -rw-r--r-- | common/rfb/CMsgReader.cxx | 2 | ||||
| -rw-r--r-- | common/rfb/CMsgWriter.cxx | 2 | ||||
| -rw-r--r-- | common/rfb/CMsgWriter.h | 2 |
5 files changed, 5 insertions, 5 deletions
diff --git a/common/rfb/CMsgHandler.cxx b/common/rfb/CMsgHandler.cxx index bbc11763..4b338524 100644 --- a/common/rfb/CMsgHandler.cxx +++ b/common/rfb/CMsgHandler.cxx @@ -80,7 +80,7 @@ void CMsgHandler::bell() { } -void CMsgHandler::serverCutText(const char* str, int len) +void CMsgHandler::serverCutText(const char* str, rdr::U32 len) { } diff --git a/common/rfb/CMsgHandler.h b/common/rfb/CMsgHandler.h index 6c86df01..188963a4 100644 --- a/common/rfb/CMsgHandler.h +++ b/common/rfb/CMsgHandler.h @@ -57,7 +57,7 @@ namespace rfb { virtual void setColourMapEntries(int firstColour, int nColours, rdr::U16* rgbs); virtual void bell(); - virtual void serverCutText(const char* str, int len); + virtual void serverCutText(const char* str, rdr::U32 len); virtual void fillRect(const Rect& r, Pixel pix); virtual void imageRect(const Rect& r, void* pixels); diff --git a/common/rfb/CMsgReader.cxx b/common/rfb/CMsgReader.cxx index 0e3d9679..488f549c 100644 --- a/common/rfb/CMsgReader.cxx +++ b/common/rfb/CMsgReader.cxx @@ -60,7 +60,7 @@ void CMsgReader::readBell() void CMsgReader::readServerCutText() { is->skip(3); - int len = is->readU32(); + rdr::U32 len = is->readU32(); if (len > 256*1024) { is->skip(len); fprintf(stderr,"cut text too long (%d bytes) - ignoring\n",len); diff --git a/common/rfb/CMsgWriter.cxx b/common/rfb/CMsgWriter.cxx index 26e0d50c..8948cbdd 100644 --- a/common/rfb/CMsgWriter.cxx +++ b/common/rfb/CMsgWriter.cxx @@ -124,7 +124,7 @@ void CMsgWriter::pointerEvent(const Point& pos, int buttonMask) } -void CMsgWriter::clientCutText(const char* str, int len) +void CMsgWriter::clientCutText(const char* str, rdr::U32 len) { startMsg(msgTypeClientCutText); os->pad(3); diff --git a/common/rfb/CMsgWriter.h b/common/rfb/CMsgWriter.h index 19be8df9..5794f91d 100644 --- a/common/rfb/CMsgWriter.h +++ b/common/rfb/CMsgWriter.h @@ -50,7 +50,7 @@ namespace rfb { // InputHandler implementation virtual void keyEvent(rdr::U32 key, bool down); virtual void pointerEvent(const Point& pos, int buttonMask); - virtual void clientCutText(const char* str, int len); + virtual void clientCutText(const char* str, rdr::U32 len); ConnParams* getConnParams() { return cp; } rdr::OutStream* getOutStream() { return os; } |