From c18fa98b1ffc651e6429a439b9c2ec4c0f833881 Mon Sep 17 00:00:00 2001
From: Nicolas Ruff <nruff@google.com>
Date: Mon, 1 Sep 2014 14:51:07 +0200
Subject: Fix stack-based buffer overflow

There was a possible buffer overflow in rfbFileTransferOffer message when
processing the FileTime.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
---
 libvncserver/rfbserver.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
index 21f9eff..f1c7c94 100644
--- a/libvncserver/rfbserver.c
+++ b/libvncserver/rfbserver.c
@@ -1770,7 +1770,8 @@ rfbBool rfbProcessFileTransfer(rfbClientPtr cl, uint8_t contentType, uint8_t con
         p = strrchr(buffer, ',');
         if (p!=NULL) {
             *p = '\0';
-            strcpy(szFileTime, p+1);
+            strncpy(szFileTime, p+1, sizeof(szFileTime));
+            szFileTime[sizeof(szFileTime)-1] = '\x00'; /* ensure NULL terminating byte is present, even if copy overflowed */
         } else
             szFileTime[0]=0;
 
-- 
cgit v1.1