Commit ba710eb1 authored by dscho's avatar dscho

Merge pull request #20 from newsoft/master

Fix integer overflow in MallocFrameBuffer()
parents 9453be42 85a778c0
...@@ -1829,7 +1829,8 @@ HandleRFBServerMessage(rfbClient* client) ...@@ -1829,7 +1829,8 @@ HandleRFBServerMessage(rfbClient* client)
client->updateRect.x = client->updateRect.y = 0; client->updateRect.x = client->updateRect.y = 0;
client->updateRect.w = client->width; client->updateRect.w = client->width;
client->updateRect.h = client->height; client->updateRect.h = client->height;
client->MallocFrameBuffer(client); if (!client->MallocFrameBuffer(client))
return FALSE;
SendFramebufferUpdateRequest(client, 0, 0, rect.r.w, rect.r.h, FALSE); SendFramebufferUpdateRequest(client, 0, 0, rect.r.w, rect.r.h, FALSE);
rfbClientLog("Got new framebuffer size: %dx%d\n", rect.r.w, rect.r.h); rfbClientLog("Got new framebuffer size: %dx%d\n", rect.r.w, rect.r.h);
continue; continue;
...@@ -2290,7 +2291,9 @@ HandleRFBServerMessage(rfbClient* client) ...@@ -2290,7 +2291,9 @@ HandleRFBServerMessage(rfbClient* client)
client->updateRect.x = client->updateRect.y = 0; client->updateRect.x = client->updateRect.y = 0;
client->updateRect.w = client->width; client->updateRect.w = client->width;
client->updateRect.h = client->height; client->updateRect.h = client->height;
client->MallocFrameBuffer(client); if (!client->MallocFrameBuffer(client))
return FALSE;
SendFramebufferUpdateRequest(client, 0, 0, client->width, client->height, FALSE); SendFramebufferUpdateRequest(client, 0, 0, client->width, client->height, FALSE);
rfbClientLog("Got new framebuffer size: %dx%d\n", client->width, client->height); rfbClientLog("Got new framebuffer size: %dx%d\n", client->width, client->height);
break; break;
...@@ -2306,7 +2309,8 @@ HandleRFBServerMessage(rfbClient* client) ...@@ -2306,7 +2309,8 @@ HandleRFBServerMessage(rfbClient* client)
client->updateRect.x = client->updateRect.y = 0; client->updateRect.x = client->updateRect.y = 0;
client->updateRect.w = client->width; client->updateRect.w = client->width;
client->updateRect.h = client->height; client->updateRect.h = client->height;
client->MallocFrameBuffer(client); if (!client->MallocFrameBuffer(client))
return FALSE;
SendFramebufferUpdateRequest(client, 0, 0, client->width, client->height, FALSE); SendFramebufferUpdateRequest(client, 0, 0, client->width, client->height, FALSE);
rfbClientLog("Got new framebuffer size: %dx%d\n", client->width, client->height); rfbClientLog("Got new framebuffer size: %dx%d\n", client->width, client->height);
break; break;
......
...@@ -82,9 +82,27 @@ static char* ReadPassword(rfbClient* client) { ...@@ -82,9 +82,27 @@ static char* ReadPassword(rfbClient* client) {
#endif #endif
} }
static rfbBool MallocFrameBuffer(rfbClient* client) { static rfbBool MallocFrameBuffer(rfbClient* client) {
uint64_t allocSize;
if(client->frameBuffer) if(client->frameBuffer)
free(client->frameBuffer); free(client->frameBuffer);
client->frameBuffer=malloc(client->width*client->height*client->format.bitsPerPixel/8);
/* SECURITY: promote 'width' into uint64_t so that the multiplication does not overflow
'width' and 'height' are 16-bit integers per RFB protocol design
SIZE_MAX is the maximum value that can fit into size_t
*/
allocSize = (uint64_t)client->width * client->height * client->format.bitsPerPixel/8;
if (allocSize >= SIZE_MAX) {
rfbClientErr("CRITICAL: cannot allocate frameBuffer, requested size is too large\n");
return FALSE;
}
client->frameBuffer=malloc( (size_t)allocSize );
if (client->frameBuffer == NULL)
rfbClientErr("CRITICAL: frameBuffer allocation failed, requested size too large or not enough memory?\n");
return client->frameBuffer?TRUE:FALSE; return client->frameBuffer?TRUE:FALSE;
} }
...@@ -232,7 +250,8 @@ static rfbBool rfbInitConnection(rfbClient* client) ...@@ -232,7 +250,8 @@ static rfbBool rfbInitConnection(rfbClient* client)
client->width=client->si.framebufferWidth; client->width=client->si.framebufferWidth;
client->height=client->si.framebufferHeight; client->height=client->si.framebufferHeight;
client->MallocFrameBuffer(client); if (!client->MallocFrameBuffer(client))
return FALSE;
if (!SetFormatAndEncodings(client)) if (!SetFormatAndEncodings(client))
return FALSE; return FALSE;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment