[client] main: fix buffer overflow due to cursor data size change

This commit is contained in:
Geoffrey McRae 2021-11-02 01:01:17 +11:00
parent 7075fe2c54
commit a21eee26ab

View File

@ -305,6 +305,7 @@ int main_cursorThread(void * unused)
LGMP_STATUS status; LGMP_STATUS status;
LG_RendererCursor cursorType = LG_CURSOR_COLOR; LG_RendererCursor cursorType = LG_CURSOR_COLOR;
KVMFRCursor * cursor = NULL; KVMFRCursor * cursor = NULL;
int cursorSize = 0;
lgWaitEvent(e_startup, TIMEOUT_INFINITE); lgWaitEvent(e_startup, TIMEOUT_INFINITE);
@ -377,6 +378,12 @@ int main_cursorThread(void * unused)
break; break;
} }
if (cursor && msg.size > cursorSize)
{
free(cursor);
cursor = NULL;
}
/* copy and release the message ASAP */ /* copy and release the message ASAP */
if (!cursor) if (!cursor)
{ {
@ -387,6 +394,7 @@ int main_cursorThread(void * unused)
g_state.state = APP_STATE_SHUTDOWN; g_state.state = APP_STATE_SHUTDOWN;
break; break;
} }
cursorSize = msg.size;
} }
memcpy(cursor, msg.mem, msg.size); memcpy(cursor, msg.mem, msg.size);