Buffer overrun causes SIGSEGV
Brought to you by:
const_k
Menu
▾
▴
#8 Buffer overrun causes SIGSEGV
open
nobody
None
5
2006-11-17
2006-11-17
Anonymous
No
When compiled with -O2 by gcc 2.95.4 on FreeBSD, the stack frame is trashed by rf_host_ver(), causing a coredump. The reason is that ver_msg is too short for the trailing null byte written by sprintf(). Solution: increase size by 1.
--- host_connect.c.orig Sat Jan 11 10:44:02 2003
+++ host_connect.c Fri Nov 17 11:33:53 2006
@@ -232,7 +232,7 @@
char *buf = (char *)cur_slot->readbuf;
int major = 3, minor = 3;
int remote_major, remote_minor;
- char ver_msg[12];
+ char ver_msg[13];
if ( strncmp(buf, "RFB ", 4) != 0 || !isdigit(buf[4]) ||
!isdigit(buf[4]) || !isdigit(buf[5]) || !isdigit(buf[6]) ||
