summaryrefslogtreecommitdiffstats
path: root/libvncclient/vncviewer.c
diff options
context:
space:
mode:
authornewsoft <newsoft@MacBook-Air-de-newsoft-2.local>2014-08-15 16:31:13 +0200
committernewsoft <newsoft@MacBook-Air-de-newsoft-2.local>2014-08-15 16:31:13 +0200
commit045a044e8ae79db9244593fbce154cdf6e843273 (patch)
treeda1bb23725b360ade28dd657f47eb8c517e92980 /libvncclient/vncviewer.c
parent9453be42014b6b9eaa6ab6f8c2e8b6f4f01d15aa (diff)
downloadlibtdevnc-045a044e8ae79db9244593fbce154cdf6e843273.tar.gz
libtdevnc-045a044e8ae79db9244593fbce154cdf6e843273.zip
Fix integer overflow in MallocFrameBuffer()
Promote integers to uint64_t to avoid integer overflow issue during frame buffer allocation for very large screen sizes
Diffstat (limited to 'libvncclient/vncviewer.c')
-rw-r--r--libvncclient/vncviewer.c20
1 files changed, 19 insertions, 1 deletions
diff --git a/libvncclient/vncviewer.c b/libvncclient/vncviewer.c
index 3b16a6f..24bc6f8 100644
--- a/libvncclient/vncviewer.c
+++ b/libvncclient/vncviewer.c
@@ -82,9 +82,27 @@ static char* ReadPassword(rfbClient* client) {
#endif
}
static rfbBool MallocFrameBuffer(rfbClient* client) {
+uint64_t allocSize;
+
if(client->frameBuffer)
free(client->frameBuffer);
- client->frameBuffer=malloc(client->width*client->height*client->format.bitsPerPixel/8);
+
+ /* SECURITY: promote 'width' into uint64_t so that the multiplication does not overflow
+ 'width' and 'height' are 16-bit integers per RFB protocol design
+ SIZE_MAX is the maximum value that can fit into size_t
+ */
+ allocSize = (uint64_t)client->width * client->height * client->format.bitsPerPixel/8;
+
+ if (allocSize >= SIZE_MAX) {
+ rfbClientErr("CRITICAL: cannot allocate frameBuffer, requested size is too large\n");
+ return FALSE;
+ }
+
+ client->frameBuffer=malloc( (size_t)allocSize );
+
+ if (client->frameBuffer == NULL)
+ rfbClientErr("CRITICAL: frameBuffer allocation failed, requested size too large or not enough memory?\n");
+
return client->frameBuffer?TRUE:FALSE;
}