Adapted from https://github.com/LibVNC/libvncserver/commit/c5ba3fee85a7ecbbca1df5ffd46d32b92757bc2a diff --git a/vncviewer/rfbproto.c b/vncviewer/rfbproto.c index 04b0230..47a6863 100644 --- a/vncviewer/rfbproto.c +++ b/vncviewer/rfbproto.c @@ -1217,6 +1217,12 @@ HandleRFBServerMessage() if (serverCutText) free(serverCutText); + if (msg.sct.length > 1<<20) { + fprintf(stderr,"Ignoring too big cut text length sent by server: %u B > 1 MB\n", + (unsigned int)msg.sct.length); + return False; + } + serverCutText = malloc(msg.sct.length+1); if (!ReadFromRFBServer(serverCutText, msg.sct.length))