From 42a240f43ca84063aa79d9ea2d80d1d50eec2dbe Mon Sep 17 00:00:00 2001
From: Bryan Roe <git.bryan.roe@techsavvydude.com>
Date: Sat, 21 Sep 2019 00:18:29 -0700
Subject: [PATCH] Added upper bound for CRC32C check on mouse cursor pixels

---
 meshcore/KVM/Linux/linux_kvm.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/meshcore/KVM/Linux/linux_kvm.c b/meshcore/KVM/Linux/linux_kvm.c
index f2e9ab1..79b1470 100644
--- a/meshcore/KVM/Linux/linux_kvm.c
+++ b/meshcore/KVM/Linux/linux_kvm.c
@@ -751,15 +751,17 @@ void* kvm_server_mainloop(void* parm)
 								unsigned short w = ((unsigned short*)(cursor_image + 4))[0];
 								unsigned short h = ((unsigned short*)(cursor_image + 6))[0];
 								char *pixels = cursor_image + 24;
-								char alpha[1024];
+								char alpha[65535];
 								int i;
 
-								for (i = 0; i < (w*h); ++i)
-								{
-									alpha[i] = pixels[7 + (i * 8)];
-								}
-								switch (crc32c(0, (unsigned char*)alpha, (uint32_t)(w*h)))
+								if ((size_t)(w*h) <= sizeof(alpha))
 								{
+									for (i = 0; i < (w*h); ++i)
+									{
+										alpha[i] = pixels[7 + (i * 8)];
+									}
+									switch (crc32c(0, (unsigned char*)alpha, (uint32_t)(w*h)))
+									{
 									case 680869104:
 										curcursor = KVM_MouseCursor_SIZENS;
 										break;
@@ -780,6 +782,7 @@ void* kvm_server_mainloop(void* parm)
 									case 728953462:
 										curcursor = KVM_MouseCursor_ARROW;
 										break;
+									}
 								}
 							}
 						}