Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP3:GA
tigervnc.4484
U_tigervnc-prevent-double-free-by-crafted-fence...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File U_tigervnc-prevent-double-free-by-crafted-fences.patch of Package tigervnc.4484
Git-commit: f3afa24da144409a3c3a0e35913112583d987671 Patch-Mainline: Upstream References: bnc#1031875 From: Michal Srb <michalsrb@gmail.com> Subject: Prevent double free by crafted fences. If client sent fence with some data, followed by fence with no data (length 0), the original fence data were freed, but the pointer kept pointing at them. Sending one more fence would attempt to free them again. diff --git a/common/rfb/SMsgWriter.cxx b/common/rfb/SMsgWriter.cxx index cf3264e..bc3f439 100644 --- a/common/rfb/SMsgWriter.cxx +++ b/common/rfb/SMsgWriter.cxx @@ -101,7 +101,9 @@ void SMsgWriter::writeFence(rdr::U32 flags, unsigned len, const char data[]) os->writeU32(flags); os->writeU8(len); - os->writeBytes(data, len); + + if (len > 0) + os->writeBytes(data, len); endMsg(); } diff --git a/common/rfb/VNCSConnectionST.cxx b/common/rfb/VNCSConnectionST.cxx index 0a2ca33..d2206f9 100644 --- a/common/rfb/VNCSConnectionST.cxx +++ b/common/rfb/VNCSConnectionST.cxx @@ -666,6 +666,7 @@ void VNCSConnectionST::fence(rdr::U32 flags, unsigned len, const char data[]) fenceFlags = flags & (fenceFlagBlockBefore | fenceFlagBlockAfter | fenceFlagSyncNext); fenceDataLen = len; delete [] fenceData; + fenceData = NULL; if (len > 0) { fenceData = new char[len]; memcpy(fenceData, data, len);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
