Mirrors_Framework/nuttx
1
0
Fork 0
mirror of https://github.com/apache/nuttx.git synced 2025-12-11 21:20:26 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

graphics/vncserver: Fix buffer overflow

Browse Source 
Signed-off-by: Huang Qi <huangqi3@xiaomi.com>
This commit is contained in:
Huang Qi
2021-12-17 18:10:32 +08:00
committed by archer
parent e0f7bab13c
commit 19e748f278
1 changed files with 11 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
graphics/vnc/server/vnc_raw.c
View File

@@ -250,7 +250,7 @@ static size_t vnc_copy32(FAR struct vnc_session_s *session,
srcleft = (FAR lfb_color_t *)((uintptr_t)srcleft + RFB_STRIDE);
}
return (size_t)((uintptr_t)srcleft - (uintptr_t)update->rect[0].data);
return (size_t)((uintptr_t)dest - (uintptr_t)update->rect[0].data);
}
/****************************************************************************
@@ -357,8 +357,16 @@ int vnc_raw(FAR struct vnc_session_s *session, FAR struct nxgl_rect_s *rect)
deststride = maxwidth;
}
destwidth = deststride / bytesperpixel;
destheight = CONFIG_VNCSERVER_UPDATE_BUFSIZE / deststride;
DEBUGASSERT(CONFIG_VNCSERVER_UPDATE_BUFSIZE >
SIZEOF_RFB_FRAMEBUFFERUPDATE_S(SIZEOF_RFB_RECTANGE_S(0)));
destwidth = deststride / bytesperpixel;
/* Reserve some space for message header */
destheight = (CONFIG_VNCSERVER_UPDATE_BUFSIZE -
SIZEOF_RFB_FRAMEBUFFERUPDATE_S(SIZEOF_RFB_RECTANGE_S(0))) /
deststride;
if (destheight > srcheight)
{