summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNicolas Ruff <nruff@google.com>2014-09-01 14:51:07 +0200
committerJohannes Schindelin <johannes.schindelin@gmx.de>2014-10-07 14:12:22 +0200
commitc18fa98b1ffc651e6429a439b9c2ec4c0f833881 (patch)
tree0f8d345ba2320b67212dba19444ebab1849c60a1
parent7e9ce73b5d4dd59079e03bd43ce1d2bcbb60caf3 (diff)
downloadlibtdevnc-c18fa98b1ffc651e6429a439b9c2ec4c0f833881.tar.gz
libtdevnc-c18fa98b1ffc651e6429a439b9c2ec4c0f833881.zip
Fix stack-based buffer overflow
There was a possible buffer overflow in rfbFileTransferOffer message when processing the FileTime. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-rw-r--r--libvncserver/rfbserver.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
index 21f9eff..f1c7c94 100644
--- a/libvncserver/rfbserver.c
+++ b/libvncserver/rfbserver.c
@@ -1770,7 +1770,8 @@ rfbBool rfbProcessFileTransfer(rfbClientPtr cl, uint8_t contentType, uint8_t con
p = strrchr(buffer, ',');
if (p!=NULL) {
*p = '\0';
- strcpy(szFileTime, p+1);
+ strncpy(szFileTime, p+1, sizeof(szFileTime));
+ szFileTime[sizeof(szFileTime)-1] = '\x00'; /* ensure NULL terminating byte is present, even if copy overflowed */
} else
szFileTime[0]=0;