File LibVNCServer-CVE-2019-20788.patch of Package LibVNCServer.25862
Index: libvncserver-LibVNCServer-0.9.12/libvncclient/rfbproto.c
===================================================================
--- libvncserver-LibVNCServer-0.9.12.orig/libvncclient/rfbproto.c 2019-01-06 20:09:30.000000000 +0100
+++ libvncserver-LibVNCServer-0.9.12/libvncclient/rfbproto.c 2020-04-27 10:32:26.192984242 +0200
@@ -225,6 +225,7 @@ ClearServer2Client(rfbClient* client, in
client->supportedMessages.server2client[((messageType & 0xFF)/8)] &= (!(1<<(messageType % 8)));
}
+#define MAX_TEXTCHAT_SIZE 10485760 /* 10MB */
void
DefaultSupportedMessages(rfbClient* client)
@@ -2268,6 +2269,8 @@ HandleRFBServerMessage(rfbClient* client
client->HandleTextChat(client, (int)rfbTextChatFinished, NULL);
break;
default:
+ if(msg.tc.length > MAX_TEXTCHAT_SIZE)
+ return FALSE;
buffer=malloc(msg.tc.length+1);
if (!ReadFromRFBServer(client, buffer, msg.tc.length))
{