File U_tigervnc-limit-size-of-cursor-accepted-by-cli... of Package tigervnc

Overview Repositories Revisions Requests Users Attributes Meta

File U_tigervnc-limit-size-of-cursor-accepted-by-client.patch of Package tigervnc

Git-commit: c26b4b3bd20b40ca5f1ae9477164473fbd94995d
Patch-Mainline: Upstream
Author: Michal Srb <michalsrb@gmail.com>
Subject: Limit size of cursor accepted by client.
References: bnc#1032880

Width and height of a cursor are received as U16 from network. Accepting full range of U16 values can cause integer overflows in multiple places.

The worst is probably VLA in CMsgReader::readSetXCursor:
  rdr::U8 buf[width*height*4];

The width*height*4 can be too big to fit on stack or it can overflow into negative numbers. Both cases are undefined behaviour. Following writes to buf can overwrite other data on stack.

Index: tigervnc-1.6.0/common/rfb/CMsgReader.cxx
===================================================================
--- tigervnc-1.6.0.orig/common/rfb/CMsgReader.cxx
+++ tigervnc-1.6.0/common/rfb/CMsgReader.cxx
@@ -195,6 +195,9 @@ void CMsgReader::readRect(const Rect& r,
 
 void CMsgReader::readSetCursor(int width, int height, const Point& hotspot)
 {
+  if (width > maxCursorSize || height > maxCursorSize)
+    throw Exception("Too big cursor");
+
   int data_len = width * height * (handler->cp.pf().bpp/8);
   int mask_len = ((width+7)/8) * height;
   rdr::U8Array data(data_len);
Index: tigervnc-1.6.0/common/rfb/CMsgReader.h
===================================================================
--- tigervnc-1.6.0.orig/common/rfb/CMsgReader.h
+++ tigervnc-1.6.0/common/rfb/CMsgReader.h
@@ -70,6 +70,8 @@ namespace rfb {
     rdr::U8* imageBuf;
     int imageBufSize;
     int nUpdateRectsLeft;
+
+    static const int maxCursorSize = 256;
   };
 }
 #endif

Places

File U_tigervnc-limit-size-of-cursor-accepted-by-client.patch of Package tigervnc

Places