2482f8b8dc
Security fixes for: * CVE-2019-8287 * CVE-2019-15678 * CVE-2019-15679 * CVE-2019-15680 mostly adapted from patches fixing similar issues in the actively maintained libvnc (#73970)
18 lines
651 B
Diff
18 lines
651 B
Diff
Adapted from https://github.com/LibVNC/libvncserver/commit/c5ba3fee85a7ecbbca1df5ffd46d32b92757bc2a
|
|
diff --git a/vncviewer/rfbproto.c b/vncviewer/rfbproto.c
|
|
index 04b0230..47a6863 100644
|
|
--- a/vncviewer/rfbproto.c
|
|
+++ b/vncviewer/rfbproto.c
|
|
@@ -1217,6 +1217,12 @@ HandleRFBServerMessage()
|
|
if (serverCutText)
|
|
free(serverCutText);
|
|
|
|
+ if (msg.sct.length > 1<<20) {
|
|
+ fprintf(stderr,"Ignoring too big cut text length sent by server: %u B > 1 MB\n",
|
|
+ (unsigned int)msg.sct.length);
|
|
+ return False;
|
|
+ }
|
|
+
|
|
serverCutText = malloc(msg.sct.length+1);
|
|
|
|
if (!ReadFromRFBServer(serverCutText, msg.sct.length))
|