blob: 23b8adaf1ee91c97b62f324130625efcee3fad89 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
Description: fix denial of service via large ClientCutText message
Origin: backport, https://github.com/newsoft/libvncserver/commit/6037a9074d52b1963c97cb28ea1096c7c14cbf28
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Index: libvncserver-0.9.9+dfsg/libvncserver/rfbserver.c
===================================================================
--- libvncserver-0.9.9+dfsg.orig/libvncserver/rfbserver.c 2012-05-04 10:19:00.000000000 -0400
+++ libvncserver-0.9.9+dfsg/libvncserver/rfbserver.c 2014-09-25 11:12:36.124058413 -0400
@@ -2457,6 +2457,11 @@
msg.cct.length = Swap32IfLE(msg.cct.length);
str = (char *)malloc(msg.cct.length);
+ if (str == NULL) {
+ rfbLogPerror("rfbProcessClientNormalMessage: not enough memory");
+ rfbCloseClient(cl);
+ return;
+ }
if ((n = rfbReadExact(cl, str, msg.cct.length)) <= 0) {
if (n != 0)
|
