You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
39 lines
1.1 KiB
39 lines
1.1 KiB
From 483dd0834167b86833ec6d756168b426ff8b4304 Mon Sep 17 00:00:00 2001
|
|
From: Christian Beier <dontmind@freeshell.org>
|
|
Date: Tue, 3 Nov 2020 13:44:14 -0600
|
|
Subject: [PATCH] libvncclient/rfbproto: limit max textchat size
|
|
|
|
Addresses GitHub Security Lab (GHSL) Vulnerability Report
|
|
`GHSL-2020-063`.
|
|
|
|
Re #275
|
|
---
|
|
libvncclient/rfbproto.c | 4 ++++
|
|
1 file changed, 4 insertions(+)
|
|
|
|
diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
|
|
index 94751a22..7ba00b55 100644
|
|
--- a/libvncclient/rfbproto.c
|
|
+++ b/libvncclient/rfbproto.c
|
|
@@ -73,6 +73,8 @@
|
|
# define snprintf _snprintf /* MSVC went straight to the underscored syntax */
|
|
#endif
|
|
|
|
+#define MAX_TEXTCHAT_SIZE 10485760 /* 10MB */
|
|
+
|
|
/*
|
|
* rfbClientLog prints a time-stamped message to the log file (stderr).
|
|
*/
|
|
@@ -2285,6 +2287,8 @@ HandleRFBServerMessage(rfbClient* client)
|
|
client->HandleTextChat(client, (int)rfbTextChatFinished, NULL);
|
|
break;
|
|
default:
|
|
+ if(msg.tc.length > MAX_TEXTCHAT_SIZE)
|
|
+ return FALSE;
|
|
buffer=malloc(msg.tc.length+1);
|
|
if (!ReadFromRFBServer(client, buffer, msg.tc.length))
|
|
{
|
|
--
|
|
2.28.0
|
|
|