diff options
author | newsoft <newsoft@MacBook-Air-de-newsoft-2.local> | 2014-08-15 16:31:13 +0200 |
---|---|---|
committer | newsoft <newsoft@MacBook-Air-de-newsoft-2.local> | 2014-08-15 16:31:13 +0200 |
commit | 045a044e8ae79db9244593fbce154cdf6e843273 (patch) | |
tree | da1bb23725b360ade28dd657f47eb8c517e92980 | |
parent | 9453be42014b6b9eaa6ab6f8c2e8b6f4f01d15aa (diff) | |
download | libvncserver-045a044e8ae79db9244593fbce154cdf6e843273.zip libvncserver-045a044e8ae79db9244593fbce154cdf6e843273.tar.gz |
Fix integer overflow in MallocFrameBuffer()
Promote integers to uint64_t to avoid integer overflow issue during
frame buffer allocation for very large screen sizes
-rw-r--r-- | libvncclient/vncviewer.c | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/libvncclient/vncviewer.c b/libvncclient/vncviewer.c index 3b16a6f..24bc6f8 100644 --- a/libvncclient/vncviewer.c +++ b/libvncclient/vncviewer.c @@ -82,9 +82,27 @@ static char* ReadPassword(rfbClient* client) { #endif } static rfbBool MallocFrameBuffer(rfbClient* client) { +uint64_t allocSize; + if(client->frameBuffer) free(client->frameBuffer); - client->frameBuffer=malloc(client->width*client->height*client->format.bitsPerPixel/8); + + /* SECURITY: promote 'width' into uint64_t so that the multiplication does not overflow + 'width' and 'height' are 16-bit integers per RFB protocol design + SIZE_MAX is the maximum value that can fit into size_t + */ + allocSize = (uint64_t)client->width * client->height * client->format.bitsPerPixel/8; + + if (allocSize >= SIZE_MAX) { + rfbClientErr("CRITICAL: cannot allocate frameBuffer, requested size is too large\n"); + return FALSE; + } + + client->frameBuffer=malloc( (size_t)allocSize ); + + if (client->frameBuffer == NULL) + rfbClientErr("CRITICAL: frameBuffer allocation failed, requested size too large or not enough memory?\n"); + return client->frameBuffer?TRUE:FALSE; } |