From 9c5d4d1b26fa1f0f4d9df5b074700137602a5b68 Mon Sep 17 00:00:00 2001
From: Packit Service <user-cont-team+packit-service@redhat.com>
Date: Nov 25 2020 06:14:53 +0000
Subject: Apply patch libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch


patch_name: libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch
present_in_specfile: true
location_in_specfile: 10

---

diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
index 4d505e6..b50a7f4 100644
--- a/libvncserver/rfbserver.c
+++ b/libvncserver/rfbserver.c
@@ -2594,7 +2594,9 @@ rfbProcessClientNormalMessage(rfbClientPtr cl)
 	 * argument. Here we check that the value fits into all of them to
 	 * prevent from misinterpretation and thus from accessing uninitialized
 	 * memory. CVE-2018-7225 */
-	if (msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) {
+	/* But first to prevent from a denial-of-service by allocating to much
+	 * memory in the server, we impose a limit of 1 MB. */
+	if (msg.cct.length > 1<<20 || msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) {
 	    rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n",
 		    msg.cct.length);
 	    rfbCloseClient(cl);