| Description: fix denial of service via large ClientCutText message |
| Origin: backport, https://github.com/newsoft/libvncserver/commit/6037a9074d52b1963c97cb28ea1096c7c14cbf28 |
| |
| Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> |
| |
| Index: libvncserver-0.9.9+dfsg/libvncserver/rfbserver.c |
| =================================================================== |
| --- libvncserver-0.9.9+dfsg.orig/libvncserver/rfbserver.c 2012-05-04 10:19:00.000000000 -0400 |
| +++ libvncserver-0.9.9+dfsg/libvncserver/rfbserver.c 2014-09-25 11:12:36.124058413 -0400 |
| @@ -2457,6 +2457,11 @@ |
| msg.cct.length = Swap32IfLE(msg.cct.length); |
| |
| str = (char *)malloc(msg.cct.length); |
| + if (str == NULL) { |
| + rfbLogPerror("rfbProcessClientNormalMessage: not enough memory"); |
| + rfbCloseClient(cl); |
| + return; |
| + } |
| |
| if ((n = rfbReadExact(cl, str, msg.cct.length)) <= 0) { |
| if (n != 0) |