File x11vnc-fix-buffer-overflow-in-record_CW.patch of Package x11vnc
From 06bbe167108faa7b13f61b75191d39fc200bcfa7 Mon Sep 17 00:00:00 2001
From: Michal Srb <michalsrb@gmail.com>
Date: Wed, 6 Jul 2016 14:40:19 +0300
Subject: [PATCH] Fix buffer overflow in record_CW.
The loop is supposed to read up to four 4-byte values that follow the request,
but instead it was reading the whole length of the request (header + payload)
from the data following the request.
diff --git a/src/xrecord.c b/src/xrecord.c
index a657ce8..4bc119c 100644
--- a/x11vnc/xrecord.c
+++ b/x11vnc/xrecord.c
@@ -961,7 +961,7 @@ if (db > 1) fprintf(stderr, "record_CW-%d\n", k++);
data = (char *)req;
data += sz_xConfigureWindowReq;
- for (i=0; i<req->length; i++) {
+ for (i = 0; i < req->length - sz_xConfigureWindowReq / 4 && i < 4; i++) {
unsigned int v;
/*
* We use unsigned int for the values. There were