From 7240f62ddc06643f982456c05c11d8afe5422069 Mon Sep 17 00:00:00 2001 From: Pierre Ossman <ossman@cendio.se> Date: Tue, 26 Mar 2019 11:11:20 +0100 Subject: [PATCH] Handle server name overflow properly We need to make sure it is null terminated on truncation. We also need to avoid giving a too large size argument or modern gcc will complain. --- vncviewer/vncviewer.cxx | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/vncviewer/vncviewer.cxx b/vncviewer/vncviewer.cxx index d7cbd6e36..4a8370b95 100644 --- a/vncviewer/vncviewer.cxx +++ b/vncviewer/vncviewer.cxx @@ -411,7 +411,8 @@ potentiallyLoadConfigurationFile(char *vncServerName) newServerName = loadViewerParameters(vncServerName); // This might be empty, but we still need to clear it so we // don't try to connect to the filename - strncpy(vncServerName, newServerName, VNCSERVERNAMELEN); + strncpy(vncServerName, newServerName, VNCSERVERNAMELEN-1); + vncServerName[VNCSERVERNAMELEN-1] = '\0'; } catch (rfb::Exception& e) { vlog.error("%s", e.str()); if (alertOnFatalError) @@ -541,8 +542,10 @@ int main(int argc, char** argv) try { const char* configServerName; configServerName = loadViewerParameters(NULL); - if (configServerName != NULL) - strncpy(defaultServerName, configServerName, VNCSERVERNAMELEN); + if (configServerName != NULL) { + strncpy(defaultServerName, configServerName, VNCSERVERNAMELEN-1); + defaultServerName[VNCSERVERNAMELEN-1] = '\0'; + } } catch (rfb::Exception& e) { vlog.error("%s", e.str()); if (alertOnFatalError)