4afb8cbad7
Fixes: CVE-2014-6051 and CVE-2014-6052 denial of service and possible code execution via integer overflow and lack of malloc error handling in MallocFrameBuffer() CVE-2014-6053 denial of service via large ClientCutText message. CVE-2014-6054 denial of service via zero scaling factor. CVE-2014-6055 denial of service and possible code execution via stack overflows in File Transfer feature. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
22 lines
858 B
Diff
22 lines
858 B
Diff
Description: fix denial of service via large ClientCutText message
|
|
Origin: backport, https://github.com/newsoft/libvncserver/commit/6037a9074d52b1963c97cb28ea1096c7c14cbf28
|
|
|
|
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
|
|
|
|
Index: libvncserver-0.9.9+dfsg/libvncserver/rfbserver.c
|
|
===================================================================
|
|
--- libvncserver-0.9.9+dfsg.orig/libvncserver/rfbserver.c 2012-05-04 10:19:00.000000000 -0400
|
|
+++ libvncserver-0.9.9+dfsg/libvncserver/rfbserver.c 2014-09-25 11:12:36.124058413 -0400
|
|
@@ -2457,6 +2457,11 @@
|
|
msg.cct.length = Swap32IfLE(msg.cct.length);
|
|
|
|
str = (char *)malloc(msg.cct.length);
|
|
+ if (str == NULL) {
|
|
+ rfbLogPerror("rfbProcessClientNormalMessage: not enough memory");
|
|
+ rfbCloseClient(cl);
|
|
+ return;
|
|
+ }
|
|
|
|
if ((n = rfbReadExact(cl, str, msg.cct.length)) <= 0) {
|
|
if (n != 0)
|