Overview

File LibVNCServer-CVE-2026-32854.patch of Package LibVNCServer.43386

From dc78dee51a7e270e537a541a17befdf2073f5314 Mon Sep 17 00:00:00 2001
From: Kazuma Matsumoto <269371721+y637F9QQ2x@users.noreply.github.com>
Date: Thu, 19 Mar 2026 17:42:00 +0900
Subject: [PATCH] libvncserver: fix NULL pointer dereferences in httpd proxy
 handlers

httpProcessInput() passes the return value of strchr() to atoi()
and strncmp() without checking for NULL. If a CONNECT request
contains no colon, or a GET request contains no slash, strchr()
returns NULL, leading to a segmentation fault.

Add NULL checks before using the strchr() return values.
---
 libvncserver/httpd.c | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

Index: libvncserver-LibVNCServer-0.9.10/libvncserver/httpd.c
===================================================================
--- libvncserver-LibVNCServer-0.9.10.orig/libvncserver/httpd.c
+++ libvncserver-LibVNCServer-0.9.10/libvncserver/httpd.c
@@ -342,10 +342,11 @@ httpProcessInput(rfbScreenInfoPtr rfbScr
 
 
     /* Process the request. */
-    if(rfbScreen->httpEnableProxyConnect) {
+if(rfbScreen->httpEnableProxyConnect) {
 	const static char* PROXY_OK_STR = "HTTP/1.0 200 OK\r\nContent-Type: octet-stream\r\nPragma: no-cache\r\n\r\n";
 	if(!strncmp(buf, "CONNECT ", 8)) {
-	    if(atoi(strchr(buf, ':')+1)!=rfbScreen->port) {
+	    char *colon = strchr(buf, ':');
+	    if(colon == NULL || atoi(colon+1)!=rfbScreen->port) {
 		rfbErr("httpd: CONNECT format invalid.\n");
 		rfbWriteExact(&cl,INVALID_REQUEST_STR, strlen(INVALID_REQUEST_STR));
 		httpCloseSock(rfbScreen);
@@ -358,14 +359,17 @@ httpProcessInput(rfbScreenInfoPtr rfbScr
 	    rfbScreen->httpSock = -1;
 	    return;
 	}
-	if (!strncmp(buf, "GET ",4) && !strncmp(strchr(buf,'/'),"/proxied.connection HTTP/1.", 27)) {
-	    /* proxy connection */
-	    rfbLog("httpd: client asked for /proxied.connection\n");
-	    rfbWriteExact(&cl,PROXY_OK_STR,strlen(PROXY_OK_STR));
-	    rfbNewClientConnection(rfbScreen,rfbScreen->httpSock);
-	    rfbScreen->httpSock = -1;
-	    return;
-	}	   
+	if (!strncmp(buf, "GET ",4)) {
+	    char *slash = strchr(buf, '/');
+	    if (slash != NULL && !strncmp(slash,"/proxied.connection HTTP/1.", 27)) {
+		/* proxy connection */
+		rfbLog("httpd: client asked for /proxied.connection\n");
+		rfbWriteExact(&cl,PROXY_OK_STR,strlen(PROXY_OK_STR));
+		rfbNewClientConnection(rfbScreen,rfbScreen->httpSock);
+		rfbScreen->httpSock = -1;
+		return;
+	    }
+	}
     }
 
     if (strncmp(buf, "GET ", 4)) {
openSUSE Build Service is sponsored by
Places