File LibVNCServer-CVE-2019-15690.patch of Package LibVNCServer.15605

diff --git a/libvncclient/cursor.c b/libvncclient/cursor.c
index 67f45726..40ffb3b0 100644
--- a/libvncclient/cursor.c
+++ b/libvncclient/cursor.c
@@ -28,6 +28,8 @@
 #define OPER_SAVE     0
 #define OPER_RESTORE  1
 
+#define MAX_CURSOR_SIZE 1024
+
 #define RGB24_TO_PIXEL(bpp,r,g,b)                                       \
    ((((uint##bpp##_t)(r) & 0xFF) * client->format.redMax + 127) / 255             \
     << client->format.redShift |                                              \
@@ -54,6 +56,9 @@ rfbBool HandleCursorShape(rfbClient* client,int xhot, int yhot, int width, int h
   if (width * height == 0)
     return TRUE;
 
+  if (width >= MAX_CURSOR_SIZE || height >= MAX_CURSOR_SIZE)
+    return FALSE;
+
   /* Allocate memory for pixel data and temporary mask data. */
   if(client->rcSource)
     free(client->rcSource);

Places

File LibVNCServer-CVE-2019-15690.patch of Package LibVNCServer.15605

Places