Overview

File LibVNCServer-CVE-2016-9941.patch of Package LibVNCServer.3921

From 5418e8007c248bf9668d22a8c1fa9528149b69f2 Mon Sep 17 00:00:00 2001
From: Josef Gajdusek <atx@atx.name>
Date: Mon, 14 Nov 2016 11:39:01 +0100
Subject: [PATCH] Fix heap overflows in the various rectangle fill functions

Altough rfbproto.c does check whether the overall FramebufferUpdate rectangle is
too large, some of the individual encoding decoders do not, which allows a
malicious server to overwrite parts of the heap.
---
 libvncclient/rfbproto.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

Index: LibVNCServer-0.9.9/libvncclient/rfbproto.c
===================================================================
--- LibVNCServer-0.9.9.orig/libvncclient/rfbproto.c	2017-01-03 16:20:26.579743074 +0100
+++ LibVNCServer-0.9.9/libvncclient/rfbproto.c	2017-01-03 16:22:25.598925869 +0100
@@ -136,9 +136,19 @@ void* rfbClientGetClientData(rfbClient*
 
 /* messages */
 
+static boolean CheckRect(rfbClient* client, int x, int y, int w, int h) {
+  return x + w <= client->width && y + h <= client->height;
+}
+
 static void FillRectangle(rfbClient* client, int x, int y, int w, int h, uint32_t colour) {
   int i,j;
 
+  if (!CheckRect(client, x, y, w, h)) {
+    rfbClientLog("Rect out of bounds: %dx%d at (%d, %d)\n", x, y, w, h);
+    return;
+  }
+
+
 #define FILL_RECT(BPP) \
     for(j=y*client->width;j<(y+h)*client->width;j+=client->width) \
       for(i=x;i<x+w;i++) \
@@ -156,6 +166,12 @@ static void FillRectangle(rfbClient* cli
 static void CopyRectangle(rfbClient* client, uint8_t* buffer, int x, int y, int w, int h) {
   int j;
 
+  if (!CheckRect(client, x, y, w, h)) {
+    rfbClientLog("Rect out of bounds: %dx%d at (%d, %d)\n", x, y, w, h);
+    return;
+  }
+
+
 #define COPY_RECT(BPP) \
   { \
     int rs = w * BPP / 8, rs2 = client->width * BPP / 8; \
@@ -178,6 +194,17 @@ static void CopyRectangle(rfbClient* cli
 static void CopyRectangleFromRectangle(rfbClient* client, int src_x, int src_y, int w, int h, int dest_x, int dest_y) {
   int i,j;
 
+  if (!CheckRect(client, src_x, src_y, w, h)) {
+    rfbClientLog("Source rect out of bounds: %dx%d at (%d, %d)\n", src_x, src_y, w, h);
+    return;
+  }
+
+  if (!CheckRect(client, dest_x, dest_y, w, h)) {
+    rfbClientLog("Dest rect out of bounds: %dx%d at (%d, %d)\n", dest_x, dest_y, w, h);
+    return;
+  }
+
+
 #define COPY_RECT_FROM_RECT(BPP) \
   { \
     uint##BPP##_t* _buffer=((uint##BPP##_t*)client->frameBuffer)+(src_y-dest_y)*client->width+src_x-dest_x; \
openSUSE Build Service is sponsored by
Places