From 8937203441ee241c4ace85da687b7d6633a12365 Mon Sep 17 00:00:00 2001 From: Christian Beier <dontmind@freeshell.org> Date: Fri, 10 Apr 2020 19:07:12 +0200 Subject: [PATCH] libvncclient/rfbproto: limit max textchat size Addresses GitHub Security Lab (GHSL) Vulnerability Report `GHSL-2020-063`. Re #275 --- (daviddavid) Rebase --- libvncclient/rfbproto.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c index a54c1e67..26430c77 100644 --- a/libvncclient/rfbproto.c +++ b/libvncclient/rfbproto.c @@ -68,6 +68,8 @@ #endif #include "tls.h" +#define MAX_TEXTCHAT_SIZE 10485760 /* 10MB */ + #ifdef _MSC_VER # define snprintf _snprintf /* MSVC went straight to the underscored syntax */ #endif @@ -2268,6 +2270,8 @@ HandleRFBServerMessage(rfbClient* client client->HandleTextChat(client, (int)rfbTextChatFinished, NULL); break; default: + if(msg.tc.length > MAX_TEXTCHAT_SIZE) + return FALSE; buffer=malloc(msg.tc.length+1); if (!ReadFromRFBServer(client, buffer, msg.tc.length)) {