Commit c18fa98b authored by Nicolas Ruff's avatar Nicolas Ruff Committed by Johannes Schindelin

Fix stack-based buffer overflow

There was a possible buffer overflow in rfbFileTransferOffer message when
processing the FileTime.
Signed-off-by: 's avatarJohannes Schindelin <johannes.schindelin@gmx.de>
parent 7e9ce73b
...@@ -1770,7 +1770,8 @@ rfbBool rfbProcessFileTransfer(rfbClientPtr cl, uint8_t contentType, uint8_t con ...@@ -1770,7 +1770,8 @@ rfbBool rfbProcessFileTransfer(rfbClientPtr cl, uint8_t contentType, uint8_t con
p = strrchr(buffer, ','); p = strrchr(buffer, ',');
if (p!=NULL) { if (p!=NULL) {
*p = '\0'; *p = '\0';
strcpy(szFileTime, p+1); strncpy(szFileTime, p+1, sizeof(szFileTime));
szFileTime[sizeof(szFileTime)-1] = '\x00'; /* ensure NULL terminating byte is present, even if copy overflowed */
} else } else
szFileTime[0]=0; szFileTime[0]=0;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment