File LibVNCServer-CVE-2020-14399.patch of Package LibVNCServer.17331

Overview Repositories Revisions Requests Users Attributes Meta

File LibVNCServer-CVE-2020-14399.patch of Package LibVNCServer.17331

From 23e5cbe6b090d7f22982aee909a6a618174d3c2d Mon Sep 17 00:00:00 2001
From: Tobias Junghans <tobydox@veyon.io>
Date: Wed, 27 May 2020 11:47:00 +0200
Subject: [PATCH] libvncclient: fix pointer aliasing/alignment issue

Accessing byte-aligned data through uint32_t pointers can cause crashes
on some platforms or reduce the performance. Therefore ensure a proper
stack alignment.
---
 libvncclient/rfbproto.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
index cd2a297e..6f6d6704 100644
--- a/libvncclient/rfbproto.c
+++ b/libvncclient/rfbproto.c
@@ -1151,10 +1151,13 @@ rfbBool
 SetFormatAndEncodings(rfbClient* client)
 {
   rfbSetPixelFormatMsg spf;
-  char buf[sz_rfbSetEncodingsMsg + MAX_ENCODINGS * 4];
+  union {
+    char bytes[sz_rfbSetEncodingsMsg + MAX_ENCODINGS*4];
+    rfbSetEncodingsMsg msg;
+  } buf;
 
-  rfbSetEncodingsMsg *se = (rfbSetEncodingsMsg *)buf;
-  uint32_t *encs = (uint32_t *)(&buf[sz_rfbSetEncodingsMsg]);
+  rfbSetEncodingsMsg *se = &buf.msg;
+  uint32_t *encs = (uint32_t *)(&buf.bytes[sz_rfbSetEncodingsMsg]);
   int len = 0;
   rfbBool requestCompressLevel = FALSE;
   rfbBool requestQualityLevel = FALSE;
@@ -1354,7 +1357,7 @@ SetFormatAndEncodings(rfbClient* client)
 
   se->nEncodings = rfbClientSwap16IfLE(se->nEncodings);
 
-  if (!WriteToRFBServer(client, buf, len)) return FALSE;
+  if (!WriteToRFBServer(client, buf.bytes, len)) return FALSE;
 
   return TRUE;
 }

Places

File LibVNCServer-CVE-2020-14399.patch of Package LibVNCServer.17331

Places