DnD Phase II] - Avoid potential memory overflow.

In the case when dragging a format whose size is exactly the same as the
size threshold and plain text is provided, the plain text can't be added.
Current logic does not handle this case.  Instead it will result in a
large unsigned number (0-1 = 0xffff_ffff) of bytes to be allocated to
store plain text which causes memory overflow.

Just return in the case that no more size left to add plain text or the
plain text is empty.

diff --git a/open-vm-tools/services/plugins/dndcp/dnd/dndCommon.c b/open-vm-tools/services/plugins/dndcp/dnd/dndCommon.c
index fc369513e4e156bacd0bdefa943e5626fe7320b5..ed592f4829da4e2023aaed2f4e360a7e9e83e9ac 100644 (file)
--- a/open-vm-tools/services/plugins/dndcp/dnd/dndCommon.c
+++ b/open-vm-tools/services/plugins/dndcp/dnd/dndCommon.c
@@ -697,6 +697,13 @@ DnD_SetCPClipboardAndTruncateText(CPClipboard *clip, // IN/OUT
 {
    size_t bytesLeft = clip->maxSize - CPClipboard_GetTotalSize(clip) - 1;
 
+   if (bytesLeft < 2 || len == 1) {
+      /*
+       * Less than 2 bytes left ( 1 byte needed for ending NULL ) or
+       * input buffer only contains ending NULL
+       */
+      return;
+   }
    // Truncate if the length is greater than max allowed.
    if (len > bytesLeft) {
       size_t boundaryPoint =