File: xclip.c
Function: ui_clip_handle_data()

This function is being called after “length” was read from the input stream, without a check that the stream contains at least “length” bytes.
The call to “crlf2lf(data, &length)” uses the supplied “length” variable to preforms an (inplace) conversion, effectively creating a “memmove()”-like memory shift.
By controlling the number of ‘\r’ chars in his buffer, the attacker can control the size of the triggered memory shift.

Code Snippet:

/* Called when the RDP server responds with clipboard data (after we've requested it). */
ui_clip_handle_data(uint8 * data, uint32 length)
	RD_BOOL free_data = False;

	if (length == 0)
		has_selection_request = False;

	if ( == format_string_atom || == XA_STRING)
		/* We're expecting a CF_TEXT response */
		uint8 *firstnull;

		/* translate linebreaks */
		crlf2lf(data, &length);

		/* Only send data up to null byte, if any */
		firstnull = (uint8 *) strchr((char *) data, '\0');
		if (firstnull)
			length = firstnull - data + 1;