Hi, while debugging a VNC issue I found this:
case VNC_MSG_CLIENT_CUT_TEXT: if (len == 1) return 8; if (len == 8) { uint32_t dlen = read_u32(data, 4); if (dlen > 0) return 8 + dlen; } client_cut_text(vs, read_u32(data, 4), data + 8); break; in protocol_client_msg(). Is this really a good idea? This allows for letting the vs->input buffer to grow up to 2^32 + 8 byte which will possibly result in an out of memory condition. Peter