File LibVNCServer-CVE-2014-6053.patch of Package LibVNCServer
From 6037a9074d52b1963c97cb28ea1096c7c14cbf28 Mon Sep 17 00:00:00 2001
From: Nicolas Ruff <nruff@google.com>
Date: Mon, 18 Aug 2014 15:16:16 +0200
Subject: [PATCH] Check malloc() return value on client->server ClientCutText
message. Client can send up to 2**32-1 bytes of text, and such a large
allocation is likely to fail in case of high memory pressure. This would in a
server crash (write at address 0).
---
libvncserver/rfbserver.c | 5 +++++
1 file changed, 5 insertions(+)
Index: LibVNCServer-0.9.9/libvncserver/rfbserver.c
===================================================================
--- LibVNCServer-0.9.9.orig/libvncserver/rfbserver.c
+++ LibVNCServer-0.9.9/libvncserver/rfbserver.c
@@ -2457,6 +2457,11 @@
msg.cct.length = Swap32IfLE(msg.cct.length);
str = (char *)malloc(msg.cct.length);
+ if (str == NULL) {
+ rfbLogPerror("rfbProcessClientNormalMessage: not enough memory");
+ rfbCloseClient(cl);
+ return;
+ }
if ((n = rfbReadExact(cl, str, msg.cct.length)) <= 0) {
if (n != 0)