diff options
| author | Peter Arrenbrecht <peter@arrenbrech.ch> | 2010-01-26 12:44:15 +0100 |
|---|---|---|
| committer | Johannes Schindelin <johannes.schindelin@gmx.de> | 2010-01-26 12:44:15 +0100 |
| commit | c656b381fd8158aa73173c157b1492d1014e13f0 (patch) | |
| tree | 60f18cdc91a5be2bd7d7050cf050cd9bddbe549f | |
| parent | 6b2b3b8213bbe95182c91df419e0562e85f36bc0 (diff) | |
| download | libvncserver-c656b381fd8158aa73173c157b1492d1014e13f0.zip libvncserver-c656b381fd8158aa73173c157b1492d1014e13f0.tar.gz | |
Fix tightvnc-filetransfer 64 bit buffer overflow
Seems there is a buffer overflow in x11vnc's tightvnc-filetransfer
code when compiling to 64 bits: a buffer is allocated using sizeof(int)
for the size, but then, data is copied into it using
sizeof(unsigned long).
Detected by GCC build with full warnings.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
| -rw-r--r-- | libvncserver/tightvnc-filetransfer/filetransfermsg.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/libvncserver/tightvnc-filetransfer/filetransfermsg.c b/libvncserver/tightvnc-filetransfer/filetransfermsg.c index 7dae2cd..a0d7a5e 100644 --- a/libvncserver/tightvnc-filetransfer/filetransfermsg.c +++ b/libvncserver/tightvnc-filetransfer/filetransfermsg.c @@ -393,7 +393,7 @@ FileTransferMsg CreateFileDownloadZeroSizeDataMsg(unsigned long mTime) { FileTransferMsg fileDownloadZeroSizeDataMsg; - int length = sz_rfbFileDownloadDataMsg + sizeof(int); + int length = sz_rfbFileDownloadDataMsg + sizeof(unsigned long); rfbFileDownloadDataMsg *pFDD = NULL; char *pFollow = NULL; |
