You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
60 lines
2.4 KiB
60 lines
2.4 KiB
commit 85a778c0e45e87e35ee7199f1f25020648e8b812
|
|
Author: newsoft <newsoft@MacBook-Air-de-newsoft-2.local>
|
|
Date: Fri Aug 15 16:41:58 2014 +0200
|
|
|
|
Check for MallocFrameBuffer() return value
|
|
|
|
If MallocFrameBuffer() returns FALSE, frame buffer pointer is left to
|
|
NULL. Subsequent writes into that buffer could lead to memory
|
|
corruption, or even arbitrary code execution.
|
|
|
|
diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
|
|
index b4d7156..f55c74f 100644
|
|
--- a/libvncclient/rfbproto.c
|
|
+++ b/libvncclient/rfbproto.c
|
|
@@ -1829,7 +1829,8 @@ HandleRFBServerMessage(rfbClient* client)
|
|
client->updateRect.x = client->updateRect.y = 0;
|
|
client->updateRect.w = client->width;
|
|
client->updateRect.h = client->height;
|
|
- client->MallocFrameBuffer(client);
|
|
+ if (!client->MallocFrameBuffer(client))
|
|
+ return FALSE;
|
|
SendFramebufferUpdateRequest(client, 0, 0, rect.r.w, rect.r.h, FALSE);
|
|
rfbClientLog("Got new framebuffer size: %dx%d\n", rect.r.w, rect.r.h);
|
|
continue;
|
|
@@ -2290,7 +2291,9 @@ HandleRFBServerMessage(rfbClient* client)
|
|
client->updateRect.x = client->updateRect.y = 0;
|
|
client->updateRect.w = client->width;
|
|
client->updateRect.h = client->height;
|
|
- client->MallocFrameBuffer(client);
|
|
+ if (!client->MallocFrameBuffer(client))
|
|
+ return FALSE;
|
|
+
|
|
SendFramebufferUpdateRequest(client, 0, 0, client->width, client->height, FALSE);
|
|
rfbClientLog("Got new framebuffer size: %dx%d\n", client->width, client->height);
|
|
break;
|
|
@@ -2306,7 +2309,8 @@ HandleRFBServerMessage(rfbClient* client)
|
|
client->updateRect.x = client->updateRect.y = 0;
|
|
client->updateRect.w = client->width;
|
|
client->updateRect.h = client->height;
|
|
- client->MallocFrameBuffer(client);
|
|
+ if (!client->MallocFrameBuffer(client))
|
|
+ return FALSE;
|
|
SendFramebufferUpdateRequest(client, 0, 0, client->width, client->height, FALSE);
|
|
rfbClientLog("Got new framebuffer size: %dx%d\n", client->width, client->height);
|
|
break;
|
|
diff --git a/libvncclient/vncviewer.c b/libvncclient/vncviewer.c
|
|
index 24bc6f8..65b7412 100644
|
|
--- a/libvncclient/vncviewer.c
|
|
+++ b/libvncclient/vncviewer.c
|
|
@@ -250,7 +250,8 @@ static rfbBool rfbInitConnection(rfbClient* client)
|
|
|
|
client->width=client->si.framebufferWidth;
|
|
client->height=client->si.framebufferHeight;
|
|
- client->MallocFrameBuffer(client);
|
|
+ if (!client->MallocFrameBuffer(client))
|
|
+ return FALSE;
|
|
|
|
if (!SetFormatAndEncodings(client))
|
|
return FALSE;
|