summaryrefslogblamecommitdiff
path: root/user/tigervnc/null-termination.patch
blob: e80a4f62d03be7a70aac2a3415a7708e1025c7c7 (plain) (tree)





































                                                                         
From 7240f62ddc06643f982456c05c11d8afe5422069 Mon Sep 17 00:00:00 2001
From: Pierre Ossman <ossman@cendio.se>
Date: Tue, 26 Mar 2019 11:11:20 +0100
Subject: [PATCH] Handle server name overflow properly

We need to make sure it is null terminated on truncation. We also
need to avoid giving a too large size argument or modern gcc will
complain.
---
 vncviewer/vncviewer.cxx | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/vncviewer/vncviewer.cxx b/vncviewer/vncviewer.cxx
index d7cbd6e36..4a8370b95 100644
--- a/vncviewer/vncviewer.cxx
+++ b/vncviewer/vncviewer.cxx
@@ -411,7 +411,8 @@ potentiallyLoadConfigurationFile(char *vncServerName)
       newServerName = loadViewerParameters(vncServerName);
       // This might be empty, but we still need to clear it so we
       // don't try to connect to the filename
-      strncpy(vncServerName, newServerName, VNCSERVERNAMELEN);
+      strncpy(vncServerName, newServerName, VNCSERVERNAMELEN-1);
+      vncServerName[VNCSERVERNAMELEN-1] = '\0';
     } catch (rfb::Exception& e) {
       vlog.error("%s", e.str());
       if (alertOnFatalError)
@@ -541,8 +542,10 @@ int main(int argc, char** argv)
   try {
     const char* configServerName;
     configServerName = loadViewerParameters(NULL);
-    if (configServerName != NULL)
-      strncpy(defaultServerName, configServerName, VNCSERVERNAMELEN);
+    if (configServerName != NULL) {
+      strncpy(defaultServerName, configServerName, VNCSERVERNAMELEN-1);
+      defaultServerName[VNCSERVERNAMELEN-1] = '\0';
+    }
   } catch (rfb::Exception& e) {
     vlog.error("%s", e.str());
     if (alertOnFatalError)