Stefan Dirsch
d26ec6dbd4
0001-Make-ZlibInStream-more-robust-against-failures.patch
0002-Encapsulate-PixelBuffer-internal-details.patch
0003-Restrict-PixelBuffer-dimensions-to-safe-values.patch
0004-Add-write-protection-to-OffsetPixelBuffer.patch
0005-Handle-empty-Tight-gradient-rects.patch
0006-Add-unit-test-for-PixelFormat-sanity-checks.patch
0007-Fix-depth-sanity-test-in-PixelFormat.patch
0008-Add-sanity-checks-for-PixelFormat-shift-values.patch
0009-Remove-unused-FixedMemOutStream.patch
0010-Use-size_t-for-lengths-in-stream-objects.patch
0011-Be-defensive-about-overflows-in-stream-objects.patch
0012-Add-unit-tests-for-PixelFormat.is888-detection.patch
0013-Handle-pixel-formats-with-odd-shift-values.patch
* stack use-after-return due to incorrect usage of stack memory
in ZRLEDecoder (CVE-2019-15691, bsc#1159856)
* improper value checks in CopyRectDecode may lead to heap
buffer overflow (CVE-2019-15692, bsc#1160250)
* heap buffer overflow in TightDecoder::FilterGradient
(CVE-2019-15693, bsc#1159858)
* improper error handling in processing MemOutStream may lead
to heap buffer overflow (CVE-2019-15694, bsc#1160251
* stack buffer overflow, which could be triggered from
CMsgReader::readSetCurso (CVE-2019-15695, bsc#1159860)
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/tigervnc?expand=0&rev=168
58 lines
1.9 KiB
Diff
58 lines
1.9 KiB
Diff
From cd1d650c532a46e95a1229dffaf281c76a50cdfe Mon Sep 17 00:00:00 2001
|
|
From: Pierre Ossman <ossman@cendio.se>
|
|
Date: Tue, 10 Sep 2019 16:07:50 +0200
|
|
Subject: [PATCH] Add sanity checks for PixelFormat shift values
|
|
|
|
Otherwise we might be tricked in to reading and writing things at
|
|
incorrect offsets for pixels which ultimately could result in an
|
|
attacker writing things to the stack or heap and executing things
|
|
they shouldn't.
|
|
|
|
This only affects the server as the client never uses the pixel
|
|
format suggested by th server.
|
|
|
|
Issue found by Pavel Cheremushkin from Kaspersky Lab.
|
|
---
|
|
common/rfb/PixelFormat.cxx | 7 +++++++
|
|
tests/unit/pixelformat.cxx | 6 ++++++
|
|
2 files changed, 13 insertions(+)
|
|
|
|
diff --git a/common/rfb/PixelFormat.cxx b/common/rfb/PixelFormat.cxx
|
|
index 2d8142d1..789c43ed 100644
|
|
--- a/common/rfb/PixelFormat.cxx
|
|
+++ b/common/rfb/PixelFormat.cxx
|
|
@@ -682,6 +682,13 @@ bool PixelFormat::isSane(void)
|
|
if (totalBits > depth)
|
|
return false;
|
|
|
|
+ if ((bits(redMax) + redShift) > bpp)
|
|
+ return false;
|
|
+ if ((bits(greenMax) + greenShift) > bpp)
|
|
+ return false;
|
|
+ if ((bits(blueMax) + blueShift) > bpp)
|
|
+ return false;
|
|
+
|
|
if (((redMax << redShift) & (greenMax << greenShift)) != 0)
|
|
return false;
|
|
if (((redMax << redShift) & (blueMax << blueShift)) != 0)
|
|
diff --git a/tests/unit/pixelformat.cxx b/tests/unit/pixelformat.cxx
|
|
index 7b6087f7..46fecfb4 100644
|
|
--- a/tests/unit/pixelformat.cxx
|
|
+++ b/tests/unit/pixelformat.cxx
|
|
@@ -108,6 +108,12 @@ int main(int argc, char** argv)
|
|
|
|
doTest(true, 32, 16, false, true, 255, 255, 255, 0, 8, 16);
|
|
|
|
+ /* Invalid shift values */
|
|
+
|
|
+ doTest(true, 32, 24, false, true, 255, 255, 255, 25, 8, 16);
|
|
+ doTest(true, 32, 24, false, true, 255, 255, 255, 0, 25, 16);
|
|
+ doTest(true, 32, 24, false, true, 255, 255, 255, 0, 8, 25);
|
|
+
|
|
/* Overlapping channels */
|
|
|
|
doTest(true, 32, 24, false, true, 255, 255, 255, 0, 7, 16);
|
|
--
|
|
2.16.4
|
|
|