Overview

File n_Xvnc-fix-use-after-free-in-rfbauthreenable.patch of Package xorg-x11-server.openSUSE_12.2_Update

Subject: Fix use after free in rfbAuthReenable.
Author: Michal Srb <msrb@suse.cz>
References: bnc#816813
Patch-Mainline: Never

rfbAuthReenable is accessing rfbClient structure that wass in most cases already freed.
It actually needs only ScreenPtr, so pass it directly.

diff -ur xorg-server-1.6.5.orig/hw/vnc/auth.c xorg-server-1.6.5/hw/vnc/auth.c
--- xorg-server-1.6.5.orig/hw/vnc/auth.c	2013-05-15 18:18:51.000000000 +0200
+++ xorg-server-1.6.5/hw/vnc/auth.c	2013-05-15 18:17:08.000000000 +0200
@@ -505,9 +505,8 @@
 static CARD32
 rfbAuthReenable(OsTimerPtr timer, CARD32 now, pointer arg)
 {
-    rfbClientPtr cl = (rfbClientPtr) arg;
-    VNCSCREENPTR(cl->pScreen);
-    (void)cl;
+    ScreenPtr pScreen = (ScreenPtr) arg;
+    VNCSCREENPTR(pScreen);
     pVNC->rfbAuthTooManyTries = FALSE;
     return 0;
 }
@@ -529,7 +528,7 @@
 	CARD32 delay = AUTH_TOO_MANY_BASE_DELAY;
 	for (i = MAX_AUTH_TRIES; i < pVNC->rfbAuthTries; i++)
 	    delay *= 2;
-	pVNC->timer = TimerSet(pVNC->timer, 0, delay, rfbAuthReenable, cl);
+	pVNC->timer = TimerSet(pVNC->timer, 0, delay, rfbAuthReenable, cl->pScreen);
 	pVNC->rfbAuthTooManyTries = TRUE;
 	return TRUE;
     }
openSUSE Build Service is sponsored by
Places