diff options
| author | Nicolas Ruff <nruff@google.com> | 2014-09-01 14:51:07 +0200 |
|---|---|---|
| committer | Johannes Schindelin <johannes.schindelin@gmx.de> | 2014-10-07 14:12:22 +0200 |
| commit | c18fa98b1ffc651e6429a439b9c2ec4c0f833881 (patch) | |
| tree | 0f8d345ba2320b67212dba19444ebab1849c60a1 | |
| parent | 7e9ce73b5d4dd59079e03bd43ce1d2bcbb60caf3 (diff) | |
| download | libtdevnc-c18fa98b1ffc651e6429a439b9c2ec4c0f833881.tar.gz libtdevnc-c18fa98b1ffc651e6429a439b9c2ec4c0f833881.zip | |
Fix stack-based buffer overflow
There was a possible buffer overflow in rfbFileTransferOffer message when
processing the FileTime.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
| -rw-r--r-- | libvncserver/rfbserver.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c index 21f9eff..f1c7c94 100644 --- a/libvncserver/rfbserver.c +++ b/libvncserver/rfbserver.c @@ -1770,7 +1770,8 @@ rfbBool rfbProcessFileTransfer(rfbClientPtr cl, uint8_t contentType, uint8_t con p = strrchr(buffer, ','); if (p!=NULL) { *p = '\0'; - strcpy(szFileTime, p+1); + strncpy(szFileTime, p+1, sizeof(szFileTime)); + szFileTime[sizeof(szFileTime)-1] = '\x00'; /* ensure NULL terminating byte is present, even if copy overflowed */ } else szFileTime[0]=0; |