On Sun, Jun 29, 2014 at 5:16 AM, Peter Lieven <p...@kamp.de> wrote: > Hi, > > while debugging a VNC issue I found this: > > case VNC_MSG_CLIENT_CUT_TEXT: > if (len == 1) > return 8; > > if (len == 8) { > uint32_t dlen = read_u32(data, 4); > if (dlen > 0) > return 8 + dlen; > } > > client_cut_text(vs, read_u32(data, 4), data + 8); > break; > > in protocol_client_msg(). > > Is this really a good idea? This allows for letting the vs->input buffer to > grow > up to 2^32 + 8 byte which will possibly result in an out of memory condition.
The spec allows cut operations of this size. What would a reasonable limit be? Regards, Anthony Liguori > PeterY > >