jcarr
/
noVNC
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix buffer over-reads in handle_tight 

For performance reasons, the `handle_tight` function skips the
use of the receive queue API and uses the raw receive queue directly.
Because of the way that typed array receive queue gets reused, this
introduced the potential for buffer over-reads.

To address this, a new function, `rQwhole`, was introduced.
`rQwhole` simply returns a new view into the receive queue that
starts at 0 and ends at the current recorded end of the queue.

`handle_tight` now makes use of this function.

Fixes #522
This commit is contained in:
Solly Ross 2015-08-26 14:28:10 -04:00
parent a369a80c24
commit 89bdc8ce48
2 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/rfb.js
View File

@ -1782,8 +1782,8 @@ var RFB;
return dest; return dest;
}.bind(this); }.bind(this);
var rQ = this._sock.get_rQ();
var rQi = this._sock.get_rQi(); var rQi = this._sock.get_rQi();
var rQ = this._sock.rQwhole();
var cmode, data; var cmode, data;
var cl_header, cl_data; var cl_header, cl_data;

4
include/websock.js
View File

@ -154,6 +154,10 @@ function Websock() {
this._rQi += len; this._rQi += len;
}, },
rQwhole: function () {
return new Uint8Array(this._rQ.buffer, 0, this._rQlen);
},
rQslice: function (start, end) { rQslice: function (start, end) {
if (end) { if (end) {
return new Uint8Array(this._rQ.buffer, this._rQi + start, end - start); return new Uint8Array(this._rQ.buffer, this._rQi + start, end - start);