Adapted from https://github.com/LibVNC/libvncserver/commit/c2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7 diff --git a/vncviewer/rfbproto.c b/vncviewer/rfbproto.c index 04b0230..bd11b54 100644 --- a/vncviewer/rfbproto.c +++ b/vncviewer/rfbproto.c @@ -303,7 +303,12 @@ InitialiseRFBConnection(void) si.format.blueMax = Swap16IfLE(si.format.blueMax); si.nameLength = Swap32IfLE(si.nameLength); - /* FIXME: Check arguments to malloc() calls. */ + if (si.nameLength > 1<<20) { + fprintf(stderr, "Too big desktop name length sent by server: %lu B > 1 MB\n", + (unsigned long)si.nameLength); + return False; + } + desktopName = malloc(si.nameLength + 1); if (!desktopName) { fprintf(stderr, "Error allocating memory for desktop name, %lu bytes\n",