Make the server a little less DoS:able by validating update regions.

git-svn-id: svn://svn.code.sf.net/p/tigervnc/code/trunk@3701 3789f03b-4d11-0410-bbf8-ca57d06f2519

1 files changed, 13 insertions, 0 deletions

diff --git a/common/rfb/VNCSConnectionST.cxx b/common/rfb/VNCSConnectionST.cxx
index 3b4448b4..58ec8aa8 100644
--- a/common/rfb/VNCSConnectionST.cxx
+++ b/common/rfb/VNCSConnectionST.cxx
@@ -484,6 +484,14 @@ void VNCSConnectionST::framebufferUpdateRequest(const Rect& r,bool incremental)
 
   SConnection::framebufferUpdateRequest(r, incremental);
 
+  // Check that the client isn't sending crappy requests
+  if (!r.enclosed_by(Rect(0, 0, cp.width, cp.height))) {
+    vlog.error("FramebufferUpdateRequest %dx%d at %d,%d exceeds framebuffer %dx%d",
+               r.width(), r.height(), r.tl.x, r.tl.y, cp.width, cp.height);
+    // We crop the size later in writeFramebufferUpdate() so no need to
+    // do so now.
+  }
+
   // Just update the requested region.
   // Framebuffer update will be sent a bit later, see processMessages().
   Region reqRgn(r);
@@ -561,6 +569,11 @@ void VNCSConnectionST::writeSetCursorCallback()
 
 void VNCSConnectionST::writeFramebufferUpdate()
 {
+  // The framebuffer might have changed size since the
+  // FramebufferUpdateRequest message was received. Clip it to the current
+  // size of the framebuffer.
+  requested = requested.intersect(Region(Rect(0, 0, cp.width, cp.height)));
+
   if (state() != RFBSTATE_NORMAL || requested.is_empty()) return;
 
   updates.enable_copyrect(cp.useCopyRect);