diff options
| author | Solly Ross <sross@redhat.com> | 2015-08-26 14:28:10 -0400 |
|---|---|---|
| committer | Solly Ross <sross@redhat.com> | 2015-08-26 14:31:23 -0400 |
| commit | 89bdc8ce488153ba3299695791d3d2309751e1e4 (patch) | |
| tree | 7756735cc3c937f71d9d1fb8eade4911acedb636 | |
| parent | a369a80c2480af685b7bddacddae9cca3aea95f9 (diff) | |
| download | novnc-bug/tight-buffer-overread.tar.gz | |
Fix buffer over-reads in handle_tightbug/tight-buffer-overread
For performance reasons, the `handle_tight` function skips the
use of the receive queue API and uses the raw receive queue directly.
Because of the way that typed array receive queue gets reused, this
introduced the potential for buffer over-reads.
To address this, a new function, `rQwhole`, was introduced.
`rQwhole` simply returns a new view into the receive queue that
starts at 0 and ends at the current recorded end of the queue.
`handle_tight` now makes use of this function.
Fixes #522
| -rw-r--r-- | include/rfb.js | 2 | ||||
| -rw-r--r-- | include/websock.js | 4 |
2 files changed, 5 insertions, 1 deletions
diff --git a/include/rfb.js b/include/rfb.js index b7a811d..b45537c 100644 --- a/include/rfb.js +++ b/include/rfb.js @@ -1782,8 +1782,8 @@ var RFB; return dest; }.bind(this); - var rQ = this._sock.get_rQ(); var rQi = this._sock.get_rQi(); + var rQ = this._sock.rQwhole(); var cmode, data; var cl_header, cl_data; diff --git a/include/websock.js b/include/websock.js index 61d9467..892238b 100644 --- a/include/websock.js +++ b/include/websock.js @@ -154,6 +154,10 @@ function Websock() { this._rQi += len; }, + rQwhole: function () { + return new Uint8Array(this._rQ.buffer, 0, this._rQlen); + }, + rQslice: function (start, end) { if (end) { return new Uint8Array(this._rQ.buffer, this._rQi + start, end - start); |