prevent segmentation fault when requested area is too big; if select is interrupted while WriteExact, just try again.

2 files changed, 30 insertions, 5 deletions

diff --git a/rfbserver.c b/rfbserver.c
index 7a40a7b..e22283e 100644
--- a/rfbserver.c
+++ b/rfbserver.c
@@ -655,6 +655,25 @@ rfbProcessClientInitMessage(cl)
     }
 }
 
+static rfbBool rectSwapIfLEAndClip(uint16_t* x,uint16_t* y,uint16_t* w,uint16_t* h,
+		rfbScreenInfoPtr screen)
+{
+	*x=Swap16IfLE(*x);
+	*y=Swap16IfLE(*y);
+	*w=Swap16IfLE(*w);
+	*h=Swap16IfLE(*h);
+	if(*w>screen->width-*x)
+		*w=screen->width-*x;
+	/* possible underflow */
+	if(*w>screen->width-*x)
+		return FALSE;
+	if(*h>screen->height-*y)
+		*h=screen->height-*y;
+	if(*h>screen->height-*y)
+		return FALSE;
+
+	return TRUE;
+}
 
 /*
  * rfbProcessClientNormalMessage is called when the client has sent a normal
@@ -904,11 +923,15 @@ rfbProcessClientNormalMessage(cl)
             return;
         }
 
+	if(!rectSwapIfLEAndClip(&msg.fur.x,&msg.fur.y,&msg.fur.w,&msg.fur.h,
+			cl->screen))
+		return;
+
 	tmpRegion =
-	  sraRgnCreateRect(Swap16IfLE(msg.fur.x),
-			   Swap16IfLE(msg.fur.y),
-			   Swap16IfLE(msg.fur.x)+Swap16IfLE(msg.fur.w),
-			   Swap16IfLE(msg.fur.y)+Swap16IfLE(msg.fur.h));
+	  sraRgnCreateRect(msg.fur.x,
+			   msg.fur.y,
+			   msg.fur.x+msg.fur.w,
+			   msg.fur.y+msg.fur.h);
 
         LOCK(cl->updateMutex);
 	sraRgnOr(cl->requestedRegion,tmpRegion);
diff --git a/sockets.c b/sockets.c
index 9086326..cea1898 100644
--- a/sockets.c
+++ b/sockets.c
@@ -499,7 +499,9 @@ WriteExact(cl, buf, len)
             tv.tv_sec = 5;
             tv.tv_usec = 0;
             n = select(sock+1, NULL, &fds, NULL /* &fds */, &tv);
-            if (n < 0) {
+	    if (n < 0) {
+       	        if(errno==EINTR)
+		    continue;
                 rfbLogPerror("WriteExact: select");
                 UNLOCK(cl->outputMutex);
                 return n;