From f5cfa4bc8d73f16e963f4a2aa99f63614f7da758 Mon Sep 17 00:00:00 2001
From: dscho <dscho>
Date: Wed, 5 May 2004 19:42:27 +0000
Subject: prevent segmentation fault when requested area is too big; if select
 is interrupted while WriteExact, just try again.

---
 rfbserver.c | 31 +++++++++++++++++++++++++++----
 1 file changed, 27 insertions(+), 4 deletions(-)

(limited to 'rfbserver.c')

diff --git a/rfbserver.c b/rfbserver.c
index 7a40a7b..e22283e 100644
--- a/rfbserver.c
+++ b/rfbserver.c
@@ -655,6 +655,25 @@ rfbProcessClientInitMessage(cl)
     }
 }
 
+static rfbBool rectSwapIfLEAndClip(uint16_t* x,uint16_t* y,uint16_t* w,uint16_t* h,
+		rfbScreenInfoPtr screen)
+{
+	*x=Swap16IfLE(*x);
+	*y=Swap16IfLE(*y);
+	*w=Swap16IfLE(*w);
+	*h=Swap16IfLE(*h);
+	if(*w>screen->width-*x)
+		*w=screen->width-*x;
+	/* possible underflow */
+	if(*w>screen->width-*x)
+		return FALSE;
+	if(*h>screen->height-*y)
+		*h=screen->height-*y;
+	if(*h>screen->height-*y)
+		return FALSE;
+
+	return TRUE;
+}
 
 /*
  * rfbProcessClientNormalMessage is called when the client has sent a normal
@@ -904,11 +923,15 @@ rfbProcessClientNormalMessage(cl)
             return;
         }
 
+	if(!rectSwapIfLEAndClip(&msg.fur.x,&msg.fur.y,&msg.fur.w,&msg.fur.h,
+			cl->screen))
+		return;
+
 	tmpRegion =
-	  sraRgnCreateRect(Swap16IfLE(msg.fur.x),
-			   Swap16IfLE(msg.fur.y),
-			   Swap16IfLE(msg.fur.x)+Swap16IfLE(msg.fur.w),
-			   Swap16IfLE(msg.fur.y)+Swap16IfLE(msg.fur.h));
+	  sraRgnCreateRect(msg.fur.x,
+			   msg.fur.y,
+			   msg.fur.x+msg.fur.w,
+			   msg.fur.y+msg.fur.h);
 
         LOCK(cl->updateMutex);
 	sraRgnOr(cl->requestedRegion,tmpRegion);
-- 
cgit v1.2.3