h264: Handle over-sized frames

Over-sized frames from the server need to be handled to avoid out-of-bounds
memory access.

common/rfb/H264LibavDecoderContext.cxx

@@ -224,7 +224,13 @@ void H264LibavDecoderContext::decode(const uint8_t* h264_in_buffer,
   pb->getBuffer(rect, &stride);
   int dst_linesize = rect.width() * pb->getPF().bpp / 8;
 
-  sws_scale(sws, frame->data, frame->linesize, 0, frame->height, &swsBuffer, &dst_linesize);
+  // The server may send a frame with a height greater than that of the rect,
+  // but we don't want to write outside of the rect.
+  // The server may choose to do this due to hardware encoder constraints.
+  int height = std::min(rect.height(), frame->height);
+
+  sws_scale(sws, frame->data, frame->linesize, 0, height, &swsBuffer,
+            &dst_linesize);
 
   pb->imageRect(rect, swsBuffer);
 }