You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
43 lines
1.5 KiB
43 lines
1.5 KiB
commit 045a044e8ae79db9244593fbce154cdf6e843273
|
|
Author: newsoft <newsoft@MacBook-Air-de-newsoft-2.local>
|
|
Date: Fri Aug 15 16:31:13 2014 +0200
|
|
|
|
Fix integer overflow in MallocFrameBuffer()
|
|
|
|
Promote integers to uint64_t to avoid integer overflow issue during
|
|
frame buffer allocation for very large screen sizes
|
|
|
|
diff --git a/libvncclient/vncviewer.c b/libvncclient/vncviewer.c
|
|
index 3b16a6f..24bc6f8 100644
|
|
--- a/libvncclient/vncviewer.c
|
|
+++ b/libvncclient/vncviewer.c
|
|
@@ -82,9 +82,27 @@ static char* ReadPassword(rfbClient* client) {
|
|
#endif
|
|
}
|
|
static rfbBool MallocFrameBuffer(rfbClient* client) {
|
|
+uint64_t allocSize;
|
|
+
|
|
if(client->frameBuffer)
|
|
free(client->frameBuffer);
|
|
- client->frameBuffer=malloc(client->width*client->height*client->format.bitsPerPixel/8);
|
|
+
|
|
+ /* SECURITY: promote 'width' into uint64_t so that the multiplication does not overflow
|
|
+ 'width' and 'height' are 16-bit integers per RFB protocol design
|
|
+ SIZE_MAX is the maximum value that can fit into size_t
|
|
+ */
|
|
+ allocSize = (uint64_t)client->width * client->height * client->format.bitsPerPixel/8;
|
|
+
|
|
+ if (allocSize >= SIZE_MAX) {
|
|
+ rfbClientErr("CRITICAL: cannot allocate frameBuffer, requested size is too large\n");
|
|
+ return FALSE;
|
|
+ }
|
|
+
|
|
+ client->frameBuffer=malloc( (size_t)allocSize );
|
|
+
|
|
+ if (client->frameBuffer == NULL)
|
|
+ rfbClientErr("CRITICAL: frameBuffer allocation failed, requested size too large or not enough memory?\n");
|
|
+
|
|
return client->frameBuffer?TRUE:FALSE;
|
|
}
|
|
|