Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:Alexander_Naumov:SLE-12:Update
LibVNCServer.17331
LibVNCServer-CVE-2016-9941.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File LibVNCServer-CVE-2016-9941.patch of Package LibVNCServer.17331
From 5418e8007c248bf9668d22a8c1fa9528149b69f2 Mon Sep 17 00:00:00 2001 From: Josef Gajdusek <atx@atx.name> Date: Mon, 14 Nov 2016 11:39:01 +0100 Subject: [PATCH] Fix heap overflows in the various rectangle fill functions Altough rfbproto.c does check whether the overall FramebufferUpdate rectangle is too large, some of the individual encoding decoders do not, which allows a malicious server to overwrite parts of the heap. --- libvncclient/rfbproto.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) Index: LibVNCServer-0.9.9/libvncclient/rfbproto.c =================================================================== --- LibVNCServer-0.9.9.orig/libvncclient/rfbproto.c 2017-01-03 16:20:26.579743074 +0100 +++ LibVNCServer-0.9.9/libvncclient/rfbproto.c 2017-01-03 16:22:25.598925869 +0100 @@ -136,9 +136,19 @@ void* rfbClientGetClientData(rfbClient* /* messages */ +static boolean CheckRect(rfbClient* client, int x, int y, int w, int h) { + return x + w <= client->width && y + h <= client->height; +} + static void FillRectangle(rfbClient* client, int x, int y, int w, int h, uint32_t colour) { int i,j; + if (!CheckRect(client, x, y, w, h)) { + rfbClientLog("Rect out of bounds: %dx%d at (%d, %d)\n", x, y, w, h); + return; + } + + #define FILL_RECT(BPP) \ for(j=y*client->width;j<(y+h)*client->width;j+=client->width) \ for(i=x;i<x+w;i++) \ @@ -156,6 +166,12 @@ static void FillRectangle(rfbClient* cli static void CopyRectangle(rfbClient* client, uint8_t* buffer, int x, int y, int w, int h) { int j; + if (!CheckRect(client, x, y, w, h)) { + rfbClientLog("Rect out of bounds: %dx%d at (%d, %d)\n", x, y, w, h); + return; + } + + #define COPY_RECT(BPP) \ { \ int rs = w * BPP / 8, rs2 = client->width * BPP / 8; \ @@ -178,6 +194,17 @@ static void CopyRectangle(rfbClient* cli static void CopyRectangleFromRectangle(rfbClient* client, int src_x, int src_y, int w, int h, int dest_x, int dest_y) { int i,j; + if (!CheckRect(client, src_x, src_y, w, h)) { + rfbClientLog("Source rect out of bounds: %dx%d at (%d, %d)\n", src_x, src_y, w, h); + return; + } + + if (!CheckRect(client, dest_x, dest_y, w, h)) { + rfbClientLog("Dest rect out of bounds: %dx%d at (%d, %d)\n", dest_x, dest_y, w, h); + return; + } + + #define COPY_RECT_FROM_RECT(BPP) \ { \ uint##BPP##_t* _buffer=((uint##BPP##_t*)client->frameBuffer)+(src_y-dest_y)*client->width+src_x-dest_x; \
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor