From d931eafccf3140d740ac61e876dce72a23ade7f4 Mon Sep 17 00:00:00 2001 From: "Martin T. H. Sandsmark" Date: Tue, 23 Sep 2014 22:46:27 +0200 Subject: [PATCH] libvncserver: Check malloc() return value on client->server ClientCutText message. Client can send up to 2**32-1 bytes of text, and such a large allocation is likely to fail in case of high memory pressure. This would in a server crash (write at address 0). Upstream commit: 6037a9074d52b1963c97cb28ea1096c7c14cbf28 --- libvncserver/rfbserver.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c index d2e2c5c4..52f9fad9 100644 --- a/libvncserver/rfbserver.c +++ b/libvncserver/rfbserver.c @@ -2404,6 +2404,12 @@ rfbProcessClientNormalMessage(rfbClientPtr cl) str = (char *)malloc(msg.cct.length); + if (str == NULL) { + rfbLogPerror("rfbProcessClientNormalMessage: not enough memory"); + rfbCloseClient(cl); + return; + } + if ((n = rfbReadExact(cl, str, msg.cct.length)) <= 0) { if (n != 0) rfbLogPerror("rfbProcessClientNormalMessage: read");