From: Christian Beier <dontmind@freeshell.org>
Date: Sun, 6 Jan 2019 14:20:37 +0100
Subject: LibVNCClient: fail on server-sent desktop name lengths longer than
 1MB
Origin: https://github.com/LibVNC/libvncserver/commit/c2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7
Bug-Debian: https://bugs.debian.org/920941
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-20748

re #273
---
 libvncclient/rfbproto.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/libvncclient/rfbproto.c
+++ b/libvncclient/rfbproto.c
@@ -1293,8 +1293,12 @@
   client->si.format.blueMax = rfbClientSwap16IfLE(client->si.format.blueMax);
   client->si.nameLength = rfbClientSwap32IfLE(client->si.nameLength);
 
-  /* To guard against integer wrap-around, si.nameLength is cast to 64 bit */
-  client->desktopName = malloc((uint64_t)client->si.nameLength + 1);
+  if (client->si.nameLength > 1<<20) {
+      rfbClientErr("Too big desktop name length sent by server: %u B > 1 MB\n", (unsigned int)client->si.nameLength);
+      return FALSE;
+  }
+
+  client->desktopName = malloc(client->si.nameLength + 1);
   if (!client->desktopName) {
     rfbClientLog("Error allocating memory for desktop name, %lu bytes\n",
             (unsigned long)client->si.nameLength);