From a21eee26ab04e05c7e457b2afe4d49aac952d021 Mon Sep 17 00:00:00 2001
From: Geoffrey McRae <geoff@hostfission.com>
Date: Tue, 2 Nov 2021 01:01:17 +1100
Subject: [PATCH] [client] main: fix buffer overflow due to cursor data size
 change

---
 client/src/main.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/client/src/main.c b/client/src/main.c
index 4f7095a9..4e975936 100644
--- a/client/src/main.c
+++ b/client/src/main.c
@@ -305,6 +305,7 @@ int main_cursorThread(void * unused)
   LGMP_STATUS         status;
   LG_RendererCursor   cursorType = LG_CURSOR_COLOR;
   KVMFRCursor *       cursor     = NULL;
+  int                 cursorSize = 0;
 
   lgWaitEvent(e_startup, TIMEOUT_INFINITE);
 
@@ -377,6 +378,12 @@ int main_cursorThread(void * unused)
       break;
     }
 
+    if (cursor && msg.size > cursorSize)
+    {
+      free(cursor);
+      cursor = NULL;
+    }
+
     /* copy and release the message ASAP */
     if (!cursor)
     {
@@ -387,6 +394,7 @@ int main_cursorThread(void * unused)
         g_state.state = APP_STATE_SHUTDOWN;
         break;
       }
+      cursorSize = msg.size;
     }
 
     memcpy(cursor, msg.mem, msg.size);