LibVNCClient is a library for easy implementation of a VNC client. In 0.9.15 and earlier, LibVNCClient's Tight encoding decoder uses fixed-size 2048-pixel scrat…

LibVNCClient versions 0.9.15 and earlier contain a buffer overflow vulnerability in the Tight encoding decoder. The library uses fixed-size 2048-pixel scratch buffers for the Gradient filter but fails to reject rectangles wider than 2048 pixels. A malicious VNC server can exploit this by sending crafted FramebufferUpdate rectangles using Tight encoding with NoZlib | ExplicitFilter and Gradient filter. When a LibVNCClient-based client processes the server-controlled rectangle width, it writes beyond the fixed-size buffers, leading to potential code execution. The vulnerability has been patched in commit 5b270544b85233668b98161323297d418a8f5fd1.