File LibVNCServer-CVE-2020-14399.patch of Package LibVNCServer.25862
From 23e5cbe6b090d7f22982aee909a6a618174d3c2d Mon Sep 17 00:00:00 2001
From: Tobias Junghans <tobydox@veyon.io>
Date: Wed, 27 May 2020 11:47:00 +0200
Subject: [PATCH] libvncclient: fix pointer aliasing/alignment issue
Accessing byte-aligned data through uint32_t pointers can cause crashes
on some platforms or reduce the performance. Therefore ensure a proper
stack alignment.
---
libvncclient/rfbproto.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
index cd2a297e..6f6d6704 100644
--- a/libvncclient/rfbproto.c
+++ b/libvncclient/rfbproto.c
@@ -1151,10 +1151,13 @@ rfbBool
SetFormatAndEncodings(rfbClient* client)
{
rfbSetPixelFormatMsg spf;
- char buf[sz_rfbSetEncodingsMsg + MAX_ENCODINGS * 4];
+ union {
+ char bytes[sz_rfbSetEncodingsMsg + MAX_ENCODINGS*4];
+ rfbSetEncodingsMsg msg;
+ } buf;
- rfbSetEncodingsMsg *se = (rfbSetEncodingsMsg *)buf;
- uint32_t *encs = (uint32_t *)(&buf[sz_rfbSetEncodingsMsg]);
+ rfbSetEncodingsMsg *se = &buf.msg;
+ uint32_t *encs = (uint32_t *)(&buf.bytes[sz_rfbSetEncodingsMsg]);
int len = 0;
rfbBool requestCompressLevel = FALSE;
rfbBool requestQualityLevel = FALSE;
@@ -1354,7 +1357,7 @@ SetFormatAndEncodings(rfbClient* client)
se->nEncodings = rfbClientSwap16IfLE(se->nEncodings);
- if (!WriteToRFBServer(client, buf, len)) return FALSE;
+ if (!WriteToRFBServer(client, buf.bytes, len)) return FALSE;
return TRUE;
}