Fix stack-based buffer overflow

There was a possible buffer overflow in rfbFileTransferOffer message when processing the FileTime. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
author: Nicolas Ruff <nruff@google.com> 2014-09-01 14:51:07 +0200
committer: Johannes Schindelin <johannes.schindelin@gmx.de> 2014-10-07 14:12:22 +0200
commit: c18fa98b1ffc651e6429a439b9c2ec4c0f833881 (patch)
tree: 0f8d345ba2320b67212dba19444ebab1849c60a1
parent: 7e9ce73b5d4dd59079e03bd43ce1d2bcbb60caf3 (diff)
download: libvncserver-c18fa98b1ffc651e6429a439b9c2ec4c0f833881.zip
libvncserver-c18fa98b1ffc651e6429a439b9c2ec4c0f833881.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
index 21f9eff..f1c7c94 100644
--- a/libvncserver/rfbserver.c
+++ b/libvncserver/rfbserver.c
@@ -1770,7 +1770,8 @@ rfbBool rfbProcessFileTransfer(rfbClientPtr cl, uint8_t contentType, uint8_t con
         p = strrchr(buffer, ',');
         if (p!=NULL) {
             *p = '\0';
-            strcpy(szFileTime, p+1);
+            strncpy(szFileTime, p+1, sizeof(szFileTime));
+            szFileTime[sizeof(szFileTime)-1] = '\x00'; /* ensure NULL terminating byte is present, even if copy overflowed */
         } else
             szFileTime[0]=0;
author	Nicolas Ruff <nruff@google.com>	2014-09-01 14:51:07 +0200
committer	Johannes Schindelin <johannes.schindelin@gmx.de>	2014-10-07 14:12:22 +0200
commit	c18fa98b1ffc651e6429a439b9c2ec4c0f833881 (patch)
tree	0f8d345ba2320b67212dba19444ebab1849c60a1
parent	7e9ce73b5d4dd59079e03bd43ce1d2bcbb60caf3 (diff)
download	libvncserver-c18fa98b1ffc651e6429a439b9c2ec4c0f833881.zip libvncserver-c18fa98b1ffc651e6429a439b9c2ec4c0f833881.tar.gz