From 785f94d13ff8d9a554b08b4598cbfb691c8b5227 Mon Sep 17 00:00:00 2001 From: Viktor Liu Date: Mon, 18 May 2026 07:42:24 +0200 Subject: [PATCH] Guard buildExtClipProvideText against oversized input --- client/vnc/server/extclipboard.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/client/vnc/server/extclipboard.go b/client/vnc/server/extclipboard.go index 171430e77..86ab6d554 100644 --- a/client/vnc/server/extclipboard.go +++ b/client/vnc/server/extclipboard.go @@ -88,8 +88,12 @@ func buildExtClipRequest(formats uint32) []byte { // buildExtClipProvideText emits a Provide carrying UTF-8 text. The inner // stream (4-byte length including the trailing NUL, then UTF-8 bytes, then // NUL) is zlib-compressed; each Provide uses an independent zlib context -// per the extension spec. +// per the extension spec. Rejects oversized input so a caller bug can't +// produce a payload larger than the size advertised in our Caps. func buildExtClipProvideText(text string) ([]byte, error) { + if len(text) > extClipMaxText { + return nil, fmt.Errorf("clipboard text exceeds extClipMaxText (%d > %d)", len(text), extClipMaxText) + } body := make([]byte, 0, 4+len(text)+1) var lenBuf [4]byte binary.BigEndian.PutUint32(lenBuf[:], uint32(len(text)+1))