Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP4:GA
tigervnc
0005-Handle-empty-Tight-gradient-rects.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0005-Handle-empty-Tight-gradient-rects.patch of Package tigervnc
From b4ada8d0c6dac98c8b91fc64d112569a8ae5fb95 Mon Sep 17 00:00:00 2001 From: Pierre Ossman <ossman@cendio.se> Date: Tue, 10 Sep 2019 15:36:42 +0200 Subject: [PATCH] Handle empty Tight gradient rects We always assumed there would be one pixel per row so a rect with a zero width would result in us writing to unknown memory. This could theoretically be used by a malicious server to inject code in to the viewer process. Issue found by Pavel Cheremushkin from Kaspersky Lab. --- common/rfb/tightDecode.h | 37 +++++++++++++++++++++---------------- 1 file changed, 21 insertions(+), 16 deletions(-) Index: tigervnc-1.6.0/common/rfb/tightDecode.h =================================================================== --- tigervnc-1.6.0.orig/common/rfb/tightDecode.h +++ tigervnc-1.6.0/common/rfb/tightDecode.h @@ -279,15 +279,17 @@ TightDecoder::FilterGradient24(rdr::U8 * int rectWidth = r.width(); for (y = 0; y < rectHeight; y++) { - /* First pixel in a row */ - for (c = 0; c < 3; c++) { - pix[c] = netbuf[y*rectWidth*3+c] + prevRow[c]; - thisRow[c] = pix[c]; - } - serverpf.bufferFromRGB((rdr::U8*)&buf[y*stride], pix, 1); + for (x = 0; x < rectWidth; x++) { + /* First pixel in a row */ + if (x == 0) { + for (c = 0; c < 3; c++) { + pix[c] = netbuf[y*rectWidth*3+c] + prevRow[c]; + thisRow[c] = pix[c]; + } + serverpf.bufferFromRGB((rdr::U8*)&buf[y*stride], pix, 1); + continue; + } - /* Remaining pixels of a row */ - for (x = 1; x < rectWidth; x++) { for (c = 0; c < 3; c++) { est[c] = prevRow[x*3+c] + pix[c] - prevRow[(x-1)*3+c]; if (est[c] > 0xff) { @@ -323,17 +325,21 @@ FILTER_GRADIENT(rdr::U8 *netbuf, PIXEL_T int rectWidth = r.width(); for (y = 0; y < rectHeight; y++) { - /* First pixel in a row */ - serverpf.rgbFromBuffer(pix, (rdr::U8*)&netbuf[y*rectWidth], 1); - for (c = 0; c < 3; c++) - pix[c] += prevRow[c]; - memcpy(thisRow, pix, sizeof(pix)); + for (x = 0; x < rectWidth; x++) { + /* First pixel in a row */ + if (x == 0) { + serverpf.rgbFromBuffer(pix, (rdr::U8*)&netbuf[y*rectWidth], 1); + for (c = 0; c < 3; c++) + pix[c] += prevRow[c]; - serverpf.bufferFromRGB((rdr::U8*)&buf[y*stride], pix, 1); + memcpy(thisRow, pix, sizeof(pix)); + + serverpf.bufferFromRGB((rdr::U8*)&buf[y*stride], pix, 1); + + continue; + } - /* Remaining pixels of a row */ - for (x = 1; x < rectWidth; x++) { for (c = 0; c < 3; c++) { est[c] = prevRow[x*3+c] + pix[c] - prevRow[(x-1)*3+c]; if (est[c] > 255) {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor