From: Oliver Kurth <okurth@vmware.com>
Date: Wed, 10 Apr 2019 21:14:55 +0000 (-0700)
Subject: DnD Phase II] - Avoid potential memory overflow.
X-Git-Tag: stable-11.0.0~137
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8c69b930a826aad87c692d516fd77d1a4cbed0fb;p=thirdparty%2Fopen-vm-tools.git

DnD Phase II] - Avoid potential memory overflow.

In the case when dragging a format whose size is exactly the same as the
size threshold and plain text is provided, the plain text can't be added.
Current logic does not handle this case.  Instead it will result in a
large unsigned number (0-1 = 0xffff_ffff) of bytes to be allocated to
store plain text which causes memory overflow.

Just return in the case that no more size left to add plain text or the
plain text is empty.
---

diff --git a/open-vm-tools/services/plugins/dndcp/dnd/dndCommon.c b/open-vm-tools/services/plugins/dndcp/dnd/dndCommon.c
index fc369513e..ed592f482 100644
--- a/open-vm-tools/services/plugins/dndcp/dnd/dndCommon.c
+++ b/open-vm-tools/services/plugins/dndcp/dnd/dndCommon.c
@@ -697,6 +697,13 @@ DnD_SetCPClipboardAndTruncateText(CPClipboard *clip, // IN/OUT
 {
    size_t bytesLeft = clip->maxSize - CPClipboard_GetTotalSize(clip) - 1;
 
+   if (bytesLeft < 2 || len == 1) {
+      /*
+       * Less than 2 bytes left ( 1 byte needed for ending NULL ) or
+       * input buffer only contains ending NULL
+       */
+      return;
+   }
    // Truncate if the length is greater than max allowed.
    if (len > bytesLeft) {
       size_t boundaryPoint =