diff options
author | Michal Srb <michalsrb@gmail.com> | 2017-04-06 23:52:22 +0300 |
---|---|---|
committer | Michal Srb <michalsrb@gmail.com> | 2017-04-06 23:52:22 +0300 |
commit | c26b4b3bd20b40ca5f1ae9477164473fbd94995d (patch) | |
tree | dba2f546ea3c02cbf1928fc77cd0a0547a1ce6f2 /java | |
parent | 83722048ddbe3eafe41bdccca4d706e98b25103b (diff) | |
download | tigervnc-c26b4b3bd20b40ca5f1ae9477164473fbd94995d.tar.gz tigervnc-c26b4b3bd20b40ca5f1ae9477164473fbd94995d.zip |
Limit size of cursor accepted by client.
Width and height of a cursor are received as U16 from network. Accepting full range of U16 values can cause integer overflows in multiple places.
The worst is probably VLA in CMsgReader::readSetXCursor:
rdr::U8 buf[width*height*4];
The width*height*4 can be too big to fit on stack or it can overflow into negative numbers. Both cases are undefined behaviour. Following writes to buf can overwrite other data on stack.
Diffstat (limited to 'java')
0 files changed, 0 insertions, 0 deletions