Overview

File U_tigervnc-prevent-double-free-by-crafted-fences.patch of Package tigervnc.openSUSE_Leap_42.2_Update

Git-commit: f3afa24da144409a3c3a0e35913112583d987671
Patch-Mainline: Upstream
References: bnc#1031875
From: Michal Srb <michalsrb@gmail.com>
Subject: Prevent double free by crafted fences.

If client sent fence with some data, followed by fence with no data (length 0), the original fence data were freed, but the pointer kept pointing at them. Sending one more fence would attempt to free them again.

diff --git a/common/rfb/SMsgWriter.cxx b/common/rfb/SMsgWriter.cxx
index cf3264e..bc3f439 100644
--- a/common/rfb/SMsgWriter.cxx
+++ b/common/rfb/SMsgWriter.cxx
@@ -101,7 +101,9 @@ void SMsgWriter::writeFence(rdr::U32 flags, unsigned len, const char data[])
   os->writeU32(flags);
 
   os->writeU8(len);
-  os->writeBytes(data, len);
+
+  if (len > 0)
+    os->writeBytes(data, len);
 
   endMsg();
 }
diff --git a/common/rfb/VNCSConnectionST.cxx b/common/rfb/VNCSConnectionST.cxx
index 0a2ca33..d2206f9 100644
--- a/common/rfb/VNCSConnectionST.cxx
+++ b/common/rfb/VNCSConnectionST.cxx
@@ -666,6 +666,7 @@ void VNCSConnectionST::fence(rdr::U32 flags, unsigned len, const char data[])
       fenceFlags = flags & (fenceFlagBlockBefore | fenceFlagBlockAfter | fenceFlagSyncNext);
       fenceDataLen = len;
       delete [] fenceData;
+      fenceData = NULL;
       if (len > 0) {
         fenceData = new char[len];
         memcpy(fenceData, data, len);
openSUSE Build Service is sponsored by
Places