Skip to content

unpackBinaryData() can overfill destination buffer #5486

Description

@akleshchev

Environment

7.2.3.19375695301

Description

unpackBinaryData() can be passed a buffer of random size. A corrupted message, or message for a newer version of viewer can contain more data than viewer is ready for, which would result in unpackBinaryData() overfilling destination buffer, which would lead to a crash.

Reproduction steps

No known steps, was reported here #5483 (comment)

Metadata

Metadata

Assignees

Labels

bugSomething isn't workingtriageFlags issues that need to be triaged

Type

Fields

No fields configured for Bug.

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions