Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:42.3:Rings:2-TestDVD
tigervnc
U_tigervnc-fix-crash-from-integer-overflow-in-S...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File U_tigervnc-fix-crash-from-integer-overflow-in-SMsgReader-readClientCutText.patch of Package tigervnc
Git-commit: bf3bdac082978ca32895a4b6a123016094905689 Patch-Mainline: Upstream References: bnc#1031877 From: Michal Srb <michalsrb@gmail.com> Subject: Fix crash from integer overflow in SMsgReader::readClientCutText The length sent by client is U32, but is converted into int. If it was bigger than 0x7fffffff the resulting int is negative, it passes the check against maxCutText and later throws std::bad_alloc from CharArray which takes down the whole server. All the Streaming API deals with lengths in ints, so we can't tell it to skip that big amount of data. And it is not realistic to expect more than 2GB of clipboard data anyway. So lets just throw rdr::Exception that will disconnect this client and keep the server alive. diff --git a/common/rfb/SMsgReader.cxx b/common/rfb/SMsgReader.cxx index 89c9a8f..3c08fd6 100644 --- a/common/rfb/SMsgReader.cxx +++ b/common/rfb/SMsgReader.cxx @@ -200,6 +200,9 @@ void SMsgReader::readClientCutText() { is->skip(3); int len = is->readU32(); + if (len < 0) { + throw Exception("Cut text too long."); + } if (len > maxCutText) { is->skip(len); vlog.error("Cut text too long (%d bytes) - ignoring", len);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor