File LibVNCServer-CVE-2018-20750.patch of Package LibVNCServer.27291
Index: libvncserver-LibVNCServer-0.9.10/libvncserver/rfbserver.c
===================================================================
--- libvncserver-LibVNCServer-0.9.10.orig/libvncserver/rfbserver.c 2019-02-05 14:11:27.552345876 +0100
+++ libvncserver-LibVNCServer-0.9.10/libvncserver/rfbserver.c 2019-02-05 14:19:41.526622829 +0100
@@ -87,6 +87,9 @@
#include <time.h>
/* PRIu32 */
#include <inttypes.h>
+/* INT_MAX */
+#include <limits.h>
+
#ifdef LIBVNCSERVER_WITH_WEBSOCKETS
#include "rfbssl.h"
@@ -1465,8 +1468,11 @@ char *rfbProcessFileTransferReadBuffer(r
0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a length of 0XFFFFFFFF
will safely be allocated since this check will never trigger and malloc() can digest length+1
without problems as length is a uint32_t.
+ We also later pass length to rfbReadExact() that expects a signed int type and
+ that might wrap on platforms with a 32-bit int type if length is bigger
+ than 0X7FFFFFFF.
*/
- if(length == SIZE_MAX) {
+ if(length == SIZE_MAX || length > INT_MAX) {
rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length requested: %u", (unsigned int)length);
rfbCloseClient(cl);
return NULL;