Description: libvncclient/cursor: limit width/height input values Avoids a possible heap overflow reported by Pavel Cheremushkin <Pavel.Cheremushkin@kaspersky.com>. Author: Christian Beier <dontmind@freeshell.org> Author: Utkarsh Gupta <utkarsh@debian.org> Origin: https://github.com/LibVNC/libvncserver/commit/54220248886b5001fbbb9fa73c4e1a2cb9413fed Bug: https://github.com/LibVNC/libvncserver/issues/381 Bug-Debian: https://bugs.debian.org/954163 Last-Update: 2020-03-17 --- a/libvncclient/cursor.c +++ b/libvncclient/cursor.c @@ -28,6 +28,8 @@ #define OPER_SAVE 0 #define OPER_RESTORE 1 +#define MAX_CURSOR_SIZE 1024 + #define RGB24_TO_PIXEL(bpp,r,g,b) \ ((((uint##bpp##_t)(r) & 0xFF) * client->format.redMax + 127) / 255 \ << client->format.redShift | \ @@ -60,6 +62,9 @@ if (width * height == 0) return TRUE; + if (width >= MAX_CURSOR_SIZE || height >= MAX_CURSOR_SIZE) + return FALSE; + /* Allocate memory for pixel data and temporary mask data. */ if(client->rcSource) free(client->rcSource);