summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authornewsoft <[email protected]>2014-10-06 20:13:00 +0200
committernewsoft <[email protected]>2014-10-06 20:13:00 +0200
commit8220f4da4c4f42d8208f09346414f15121153da6 (patch)
treec0ed2e888158a51d4771a6b07e74dd8e2a5ca575
parent9aa9ac59b4cb10bfca93456a3098e348de172d7f (diff)
downloadlibtdevnc-8220f4da4c4f42d8208f09346414f15121153da6.tar.gz
libtdevnc-8220f4da4c4f42d8208f09346414f15121153da6.zip
Make sure that no integer overflow could occur during scaling
-rw-r--r--libvncserver/scale.c23
1 files changed, 22 insertions, 1 deletions
diff --git a/libvncserver/scale.c b/libvncserver/scale.c
index 6f91391..d5b3f8b 100644
--- a/libvncserver/scale.c
+++ b/libvncserver/scale.c
@@ -66,6 +66,12 @@
(double) ((int) (x)) : (double) ((int) (x) + 1) )
#define FLOOR(x) ( (double) ((int) (x)) )
+static inline int pad4(int value)
+{
+ int remainder = value & 3;
+ if (!remainder) return value;
+ return value + 4 - remainder;
+}
int ScaleX(rfbScreenInfoPtr from, rfbScreenInfoPtr to, int x)
{
@@ -281,14 +287,29 @@ rfbScreenInfoPtr rfbScaledScreenAllocate(rfbClientPtr cl, int width, int height)
ptr = malloc(sizeof(rfbScreenInfo));
if (ptr!=NULL)
{
+ int allocSize;
+
/* copy *everything* (we don't use most of it, but just in case) */
memcpy(ptr, cl->screen, sizeof(rfbScreenInfo));
+
+ /* SECURITY: make sure that no integer overflow will occur afterwards.
+ * Note: this is defensive coding, as the check should have already been
+ * performed during initial, non-scaled screen setup.
+ */
+ allocSize = pad4(width * (ptr->bitsPerPixel/8)); /* per protocol, width<2**16 and bpp<256 */
+ if (height == 0 || allocSize >= SIZE_MAX / height)
+ {
+ free(ptr);
+ return NULL; /* malloc() will allocate an incorrect buffer size - early abort */
+ }
+
+ /* Resume copy everything */
ptr->width = width;
ptr->height = height;
ptr->paddedWidthInBytes = (ptr->bitsPerPixel/8)*ptr->width;
/* Need to by multiples of 4 for Sparc systems */
- ptr->paddedWidthInBytes += (ptr->paddedWidthInBytes % 4);
+ ptr->paddedWidthInBytes = pad4(ptr->paddedWidthInBytes);
/* Reset the reference count to 0! */
ptr->scaledScreenRefCount = 0;