Fixes (maybe amongst others) the following oCERT report ([oCERT-2014-008]):

LibVNCServer HandleRFBServerMessage rfbServerCutText malicious msg.sct.length

It looks like there may be a chance for potential memory corruption when a LibVNCServer client attempts to process a Server Cut Text message.

  case rfbServerCutText:
  {
    char *buffer;

    if (!ReadFromRFBServer(client, ((char *)&msg) + 1,
			   sz_rfbServerCutTextMsg - 1))
      return FALSE;

    msg.sct.length = rfbClientSwap32IfLE(msg.sct.length); << Retrieve malicious length

    buffer = malloc(msg.sct.length+1); << Allocate buffer. Can return 0x0

    if (!ReadFromRFBServer(client, buffer, msg.sct.length)) << Attempt to write to buffer
      return FALSE;

    buffer[msg.sct.length] = 0; << Attempt to write to buffer

    if (client->GotXCutText)
      client->GotXCutText(client, buffer, msg.sct.length); << Attempt to write to buffer

    free(buffer);

    break;
  }

If a message is provided with an extremely large size it is possible to cause the malloc to fail, further leading to an attempt to write 0x0.