Hi, while debugging a VNC issue I found this:
case VNC_MSG_CLIENT_CUT_TEXT:
if (len == 1)
return 8;
if (len == 8) {
uint32_t dlen = read_u32(data, 4);
if (dlen > 0)
return 8 + dlen;
}
client_cut_text(vs, read_u32(data, 4), data + 8);
break;
in protocol_client_msg().
Is this really a good idea? This allows for letting the vs->input buffer to grow
up to 2^32 + 8 byte which will possibly result in an out of memory condition.
Peter
