In TightVNC 1.3.10, there is an integer signedness error and resultant
heap-based buffer overflow in InitialiseRFBConnection in rfbproto.c (for
the vncviewer component). There is no check on the size given to malloc,
e.g., -1 is accepted. This allocates a chunk of size zero, which will give
a heap pointer. However, one can send 0xffffffff bytes of data, which can
have a DoS impact or lead to remote code execution.