Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:15-SP1
tigervnc.16719
0001-Make-ZlibInStream-more-robust-against-fail...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-Make-ZlibInStream-more-robust-against-failures.patch of Package tigervnc.16719
From d61a767d6842b530ffb532ddd5a3d233119aad40 Mon Sep 17 00:00:00 2001 From: Pierre Ossman <ossman@cendio.se> Date: Tue, 10 Sep 2019 11:05:48 +0200 Subject: [PATCH] Make ZlibInStream more robust against failures Move the checks around to avoid missing cases where we might access memory that is no longer valid. Also avoid touching the underlying stream implicitly (e.g. via the destructor) as it might also no longer be valid. A malicious server could theoretically use this for remote code execution in the client. Issue found by Pavel Cheremushkin from Kaspersky Lab --- common/rdr/ZlibInStream.cxx | 13 +++++++------ common/rdr/ZlibInStream.h | 2 +- common/rfb/CMsgReader.cxx | 3 ++- common/rfb/SMsgReader.cxx | 3 ++- common/rfb/TightDecoder.cxx | 3 ++- common/rfb/zrleDecode.h | 3 ++- 6 files changed, 16 insertions(+), 11 deletions(-) Index: tigervnc-1.9.0/common/rdr/ZlibInStream.cxx =================================================================== --- tigervnc-1.9.0.orig/common/rdr/ZlibInStream.cxx +++ tigervnc-1.9.0/common/rdr/ZlibInStream.cxx @@ -52,16 +52,16 @@ int ZlibInStream::pos() return offset + ptr - start; } -void ZlibInStream::removeUnderlying() +void ZlibInStream::flushUnderlying() { ptr = end = start; - if (!underlying) return; while (bytesIn > 0) { decompress(true); end = start; // throw away any data } - underlying = 0; + + setUnderlying(NULL, 0); } void ZlibInStream::reset() @@ -90,7 +90,7 @@ void ZlibInStream::init() void ZlibInStream::deinit() { assert(zs != NULL); - removeUnderlying(); + setUnderlying(NULL, 0); inflateEnd(zs); delete zs; zs = NULL; @@ -100,8 +100,6 @@ int ZlibInStream::overrun(int itemSize, { if (itemSize > bufSize) throw Exception("ZlibInStream overrun: max itemSize exceeded"); - if (!underlying) - throw Exception("ZlibInStream overrun: no underlying stream"); if (end - ptr != 0) memmove(start, ptr, end - ptr); @@ -127,6 +125,9 @@ int ZlibInStream::overrun(int itemSize, bool ZlibInStream::decompress(bool wait) { + if (!underlying) + throw Exception("ZlibInStream overrun: no underlying stream"); + zs->next_out = (U8*)end; zs->avail_out = start + bufSize - end; Index: tigervnc-1.9.0/common/rdr/ZlibInStream.h =================================================================== --- tigervnc-1.9.0.orig/common/rdr/ZlibInStream.h +++ tigervnc-1.9.0/common/rdr/ZlibInStream.h @@ -38,7 +38,7 @@ namespace rdr { virtual ~ZlibInStream(); void setUnderlying(InStream* is, int bytesIn); - void removeUnderlying(); + void flushUnderlying(); int pos(); void reset(); Index: tigervnc-1.9.0/common/rfb/TightDecoder.cxx =================================================================== --- tigervnc-1.9.0.orig/common/rfb/TightDecoder.cxx +++ tigervnc-1.9.0/common/rfb/TightDecoder.cxx @@ -340,7 +340,8 @@ void TightDecoder::decodeRect(const Rect zis[streamId].readBytes(netbuf, dataSize); - zis[streamId].removeUnderlying(); + zis[streamId].flushUnderlying(); + zis[streamId].setUnderlying(NULL, 0); delete ms; bufptr = netbuf; Index: tigervnc-1.9.0/common/rfb/zrleDecode.h =================================================================== --- tigervnc-1.9.0.orig/common/rfb/zrleDecode.h +++ tigervnc-1.9.0/common/rfb/zrleDecode.h @@ -178,7 +178,8 @@ void ZRLE_DECODE (const Rect& r, rdr::In } } - zis->removeUnderlying(); + zis->flushUnderlying(); + zis->setUnderlying(NULL, 0); } #undef ZRLE_DECODE
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor