From 5b270544b85233668b98161323297d418a8f5fd1 Mon Sep 17 00:00:00 2001
From: Kang Hee chan <24s101h0659@sonline20.sen.go.kr>
Date: Wed, 6 May 2026 21:48:54 +0900
Subject: [PATCH] libvncclient: fix Tight gradient decoding overflow

---
 include/rfb/rfbclient.h  |  3 ++-
 libvncclient/tight.c | 10 +++++++---
 2 files changed, 9 insertions(+), 4 deletions(-)

Index: libvncserver-LibVNCServer-0.9.10/rfb/rfbclient.h
===================================================================
--- libvncserver-LibVNCServer-0.9.10.orig/rfb/rfbclient.h
+++ libvncserver-LibVNCServer-0.9.10/rfb/rfbclient.h
@@ -243,10 +243,11 @@ typedef struct _rfbClient {
 	rfbBool zlibStreamActive[4];
 
 	/* Filter stuff. Should be initialized by filter initialization code. */
+#define TIGHT_GRADIENT_MAX_WIDTH 2048
 	rfbBool cutZeros;
 	int rectWidth, rectColors;
 	char tightPalette[256*4];
-	uint8_t tightPrevRow[2048*3*sizeof(uint16_t)];
+	uint8_t tightPrevRow[TIGHT_GRADIENT_MAX_WIDTH*3*sizeof(uint16_t)];
 
 #ifdef LIBVNCSERVER_HAVE_LIBJPEG
 	/** JPEG decoder state. */
Index: libvncserver-LibVNCServer-0.9.10/libvncclient/tight.c
===================================================================
--- libvncserver-LibVNCServer-0.9.10.orig/libvncclient/tight.c
+++ libvncserver-LibVNCServer-0.9.10/libvncclient/tight.c
@@ -173,6 +173,11 @@ HandleTightBPP (rfbClient* client, int r
       bitsPixel = InitFilterPaletteBPP(client, rw, rh);
       break;
     case rfbTightFilterGradient:
+      if (rw > TIGHT_GRADIENT_MAX_WIDTH) {
+	rfbClientLog("Tight Gradient rectangle width %d exceeds maximum %d.\n",
+		     rw, TIGHT_GRADIENT_MAX_WIDTH);
+	return FALSE;
+      }
       filterFn = FilterGradientBPP;
       bitsPixel = InitFilterGradientBPP(client, rw, rh);
       break;
@@ -359,7 +364,7 @@ static void
 FilterGradient24 (rfbClient* client, int numRows, uint32_t *dst)
 {
   int x, y, c;
-  uint8_t thisRow[2048*3];
+  uint8_t thisRow[TIGHT_GRADIENT_MAX_WIDTH*3];
   uint8_t pix[3];
   int est[3];
 
@@ -400,7 +405,7 @@ FilterGradientBPP (rfbClient* client, in
   int x, y, c;
   CARDBPP *src = (CARDBPP *)client->buffer;
   uint16_t *thatRow = (uint16_t *)client->tightPrevRow;
-  uint16_t thisRow[2048*3];
+  uint16_t thisRow[TIGHT_GRADIENT_MAX_WIDTH*3];
   uint16_t pix[3];
   uint16_t max[3];
   int shift[3];
@@ -685,4 +690,3 @@ JpegSetSrcManager(j_decompress_ptr cinfo
 /* LIBVNCSERVER_HAVE_LIBZ and LIBVNCSERVER_HAVE_LIBJPEG */
 #endif
 #endif
-