File LibVNCServer-CVE-2016-9942.patch of Package LibVNCServer.15607

From 5fff4353f66427b467eb29e5fdc1da4f2be028bb Mon Sep 17 00:00:00 2001
From: Josef Gajdusek <atx@atx.name>
Date: Mon, 14 Nov 2016 12:38:05 +0100
Subject: [PATCH] Fix heap overflow in the ultra.c decoder

The Ultra type tile decoder does not use the _safe variant of the LZO
decompress function, which allows a maliciuous server to overwrite parts of the
heap by sending a larger-than-specified LZO data stream.
---
 libvncclient/ultra.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libvncclient/ultra.c b/libvncclient/ultra.c
index dac89b5..32a1b2b 100644
--- a/libvncclient/ultra.c
+++ b/libvncclient/ultra.c
@@ -86,14 +86,14 @@ HandleUltraBPP (rfbClient* client, int rx, int ry, int rw, int rh)
 
   /* uncompress the data */
   uncompressedBytes = client->raw_buffer_size;
-  inflateResult = lzo1x_decompress(
+  inflateResult = lzo1x_decompress_safe(
               (lzo_byte *)client->ultra_buffer, toRead,
               (lzo_byte *)client->raw_buffer, (lzo_uintp) &uncompressedBytes,
               NULL);
   
-  
+  /* Note that uncompressedBytes will be 0 on output overrun */
   if ((rw * rh * (BPP / 8)) != uncompressedBytes)
-      rfbClientLog("Ultra decompressed too little (%d < %d)", (rw * rh * (BPP / 8)), uncompressedBytes);
+      rfbClientLog("Ultra decompressed unexpected amount of data (%d != %d)\n", (rw * rh * (BPP / 8)), uncompressedBytes);
   
   /* Put the uncompressed contents of the update on the screen. */
   if ( inflateResult == LZO_E_OK ) 
@@ -168,7 +168,7 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh)
 
   /* uncompress the data */
   uncompressedBytes = client->raw_buffer_size;
-  inflateResult = lzo1x_decompress(
+  inflateResult = lzo1x_decompress_safe(
               (lzo_byte *)client->ultra_buffer, toRead,
               (lzo_byte *)client->raw_buffer, &uncompressedBytes, NULL);
   if ( inflateResult != LZO_E_OK )