Overview

File LibVNCServer-CVE-2019-20840.patch of Package LibVNCServer.17330

Index: libvncserver-LibVNCServer-0.9.10/libvncserver/websockets.c
===================================================================
--- libvncserver-LibVNCServer-0.9.10.orig/libvncserver/websockets.c	2020-07-09 10:00:41.160582292 +0200
+++ libvncserver-LibVNCServer-0.9.10/libvncserver/websockets.c	2020-07-09 10:02:54.881372618 +0200
@@ -880,7 +880,6 @@ hybiReadAndDecode(rfbClientPtr cl, char
   int bufsize;
   int nextRead;
   unsigned char *data;
-  uint32_t *data32;
   ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx;
 
   /* if data was carried over, copy to start of buffer */
@@ -938,10 +937,12 @@ hybiReadAndDecode(rfbClientPtr cl, char
   /* for a possible base64 decoding, we decode multiples of 4 bytes until
    * the whole frame is received and carry over any remaining bytes in the carry buf*/
   data = (unsigned char *)hybiPayloadStart(wsctx);
-  data32= (uint32_t *)data;
 
   for (i = 0; i < (toDecode >> 2); i++) {
-    data32[i] ^= wsctx->header.mask.u;
+    uint32_t tmp;
+    memcpy(&tmp, data + i * sizeof(tmp), sizeof(tmp));
+    tmp ^= wsctx->header.mask.u;
+    memcpy(data + i * sizeof(tmp), &tmp, sizeof(tmp));
   }
   rfbLog("mask decoding; i=%d toDecode=%d\n", i, toDecode);
openSUSE Build Service is sponsored by
Places