Overview

File 0005-Handle-empty-Tight-gradient-rects.patch of Package tigervnc.5211

From b4ada8d0c6dac98c8b91fc64d112569a8ae5fb95 Mon Sep 17 00:00:00 2001
From: Pierre Ossman <ossman@cendio.se>
Date: Tue, 10 Sep 2019 15:36:42 +0200
Subject: [PATCH] Handle empty Tight gradient rects

We always assumed there would be one pixel per row so a rect with
a zero width would result in us writing to unknown memory.

This could theoretically be used by a malicious server to inject
code in to the viewer process.

Issue found by Pavel Cheremushkin from Kaspersky Lab.
---
 common/rfb/tightDecode.h | 37 +++++++++++++++++++++----------------
 1 file changed, 21 insertions(+), 16 deletions(-)

Index: tigervnc-1.6.0/common/rfb/tightDecode.h
===================================================================
--- tigervnc-1.6.0.orig/common/rfb/tightDecode.h
+++ tigervnc-1.6.0/common/rfb/tightDecode.h
@@ -279,15 +279,17 @@ TightDecoder::FilterGradient24(rdr::U8 *
   int rectWidth = r.width();
 
   for (y = 0; y < rectHeight; y++) {
-    /* First pixel in a row */
-    for (c = 0; c < 3; c++) {
-      pix[c] = netbuf[y*rectWidth*3+c] + prevRow[c];
-      thisRow[c] = pix[c];
-    }
-    serverpf.bufferFromRGB((rdr::U8*)&buf[y*stride], pix, 1);
+    for (x = 0; x < rectWidth; x++) {
+      /* First pixel in a row */
+      if (x == 0) {
+        for (c = 0; c < 3; c++) {
+          pix[c] = netbuf[y*rectWidth*3+c] + prevRow[c];
+          thisRow[c] = pix[c];
+        }
+        serverpf.bufferFromRGB((rdr::U8*)&buf[y*stride], pix, 1);
+        continue;
+      }
 
-    /* Remaining pixels of a row */
-    for (x = 1; x < rectWidth; x++) {
       for (c = 0; c < 3; c++) {
         est[c] = prevRow[x*3+c] + pix[c] - prevRow[(x-1)*3+c];
         if (est[c] > 0xff) {
@@ -323,17 +325,21 @@ FILTER_GRADIENT(rdr::U8 *netbuf, PIXEL_T
   int rectWidth = r.width();
 
   for (y = 0; y < rectHeight; y++) {
-    /* First pixel in a row */
-    serverpf.rgbFromBuffer(pix, (rdr::U8*)&netbuf[y*rectWidth], 1);
-    for (c = 0; c < 3; c++)
-      pix[c] += prevRow[c];
 
-    memcpy(thisRow, pix, sizeof(pix));
+    for (x = 0; x < rectWidth; x++) {
+      /* First pixel in a row */
+      if (x == 0) {
+        serverpf.rgbFromBuffer(pix, (rdr::U8*)&netbuf[y*rectWidth], 1);
+        for (c = 0; c < 3; c++)
+        pix[c] += prevRow[c];
 
-    serverpf.bufferFromRGB((rdr::U8*)&buf[y*stride], pix, 1);
+        memcpy(thisRow, pix, sizeof(pix));
+
+        serverpf.bufferFromRGB((rdr::U8*)&buf[y*stride], pix, 1);
+
+        continue;
+    }
 
-    /* Remaining pixels of a row */
-    for (x = 1; x < rectWidth; x++) {
       for (c = 0; c < 3; c++) {
         est[c] = prevRow[x*3+c] + pix[c] - prevRow[(x-1)*3+c];
         if (est[c] > 255) {
openSUSE Build Service is sponsored by
Places