On Sun, Jun 29, 2014 at 5:16 AM, Peter Lieven <p...@kamp.de> wrote:
> Hi,
>
> while debugging a VNC issue I found this:
>
> case VNC_MSG_CLIENT_CUT_TEXT:
> if (len == 1)
> return 8;
>
> if (len == 8) {
> uint32_t dlen = read_u32(data, 4);
> if (dlen > 0)
> return 8 + dlen;
> }
>
> client_cut_text(vs, read_u32(data, 4), data + 8);
> break;
>
> in protocol_client_msg().
>
> Is this really a good idea? This allows for letting the vs->input buffer to
> grow
> up to 2^32 + 8 byte which will possibly result in an out of memory condition.
The spec allows cut operations of this size. What would a reasonable limit be?
Regards,
Anthony Liguori
> PeterY
>
>
