Stefan Dirsch
d26ec6dbd4
0001-Make-ZlibInStream-more-robust-against-failures.patch
0002-Encapsulate-PixelBuffer-internal-details.patch
0003-Restrict-PixelBuffer-dimensions-to-safe-values.patch
0004-Add-write-protection-to-OffsetPixelBuffer.patch
0005-Handle-empty-Tight-gradient-rects.patch
0006-Add-unit-test-for-PixelFormat-sanity-checks.patch
0007-Fix-depth-sanity-test-in-PixelFormat.patch
0008-Add-sanity-checks-for-PixelFormat-shift-values.patch
0009-Remove-unused-FixedMemOutStream.patch
0010-Use-size_t-for-lengths-in-stream-objects.patch
0011-Be-defensive-about-overflows-in-stream-objects.patch
0012-Add-unit-tests-for-PixelFormat.is888-detection.patch
0013-Handle-pixel-formats-with-odd-shift-values.patch
* stack use-after-return due to incorrect usage of stack memory
in ZRLEDecoder (CVE-2019-15691, bsc#1159856)
* improper value checks in CopyRectDecode may lead to heap
buffer overflow (CVE-2019-15692, bsc#1160250)
* heap buffer overflow in TightDecoder::FilterGradient
(CVE-2019-15693, bsc#1159858)
* improper error handling in processing MemOutStream may lead
to heap buffer overflow (CVE-2019-15694, bsc#1160251
* stack buffer overflow, which could be triggered from
CMsgReader::readSetCurso (CVE-2019-15695, bsc#1159860)
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/tigervnc?expand=0&rev=168
75 lines
2.9 KiB
Diff
75 lines
2.9 KiB
Diff
From 996356b6c65ca165ee1ea46a571c32a1dc3c3821 Mon Sep 17 00:00:00 2001
|
|
From: Pierre Ossman <ossman@cendio.se>
|
|
Date: Tue, 10 Sep 2019 15:21:03 +0200
|
|
Subject: [PATCH] Restrict PixelBuffer dimensions to safe values
|
|
|
|
We do a lot of calculations based on pixel coordinates and we need
|
|
to make sure they do not overflow. Restrict the maximum dimensions
|
|
we support rather than try to switch over all calculations to use
|
|
64 bit integers.
|
|
|
|
This prevents attackers from from injecting code by specifying a
|
|
huge framebuffer size and relying on the values overflowing to
|
|
access invalid areas of the heap.
|
|
|
|
This primarily affects the client which gets both the screen
|
|
dimensions and the pixel contents from the remote side. But the
|
|
server might also be affected as a client can adjust the screen
|
|
dimensions, as can applications inside the session.
|
|
|
|
Issue found by Pavel Cheremushkin from Kaspersky Lab.
|
|
---
|
|
common/rfb/PixelBuffer.cxx | 22 ++++++++++++++++++++++
|
|
1 file changed, 22 insertions(+)
|
|
|
|
diff --git a/common/rfb/PixelBuffer.cxx b/common/rfb/PixelBuffer.cxx
|
|
index 0aa67744..fe406b96 100644
|
|
--- a/common/rfb/PixelBuffer.cxx
|
|
+++ b/common/rfb/PixelBuffer.cxx
|
|
@@ -31,6 +31,14 @@ using namespace rdr;
|
|
|
|
static LogWriter vlog("PixelBuffer");
|
|
|
|
+// We do a lot of byte offset calculations that assume the result fits
|
|
+// inside a signed 32 bit integer. Limit the maximum size of pixel
|
|
+// buffers so that these calculations never overflow.
|
|
+
|
|
+const int maxPixelBufferWidth = 16384;
|
|
+const int maxPixelBufferHeight = 16384;
|
|
+const int maxPixelBufferStride = 16384;
|
|
+
|
|
|
|
// -=- Generic pixel buffer class
|
|
|
|
@@ -108,6 +116,11 @@ void PixelBuffer::getImage(const PixelFormat& pf, void* imageBuf,
|
|
|
|
void PixelBuffer::setSize(int width, int height)
|
|
{
|
|
+ if ((width < 0) || (width > maxPixelBufferWidth))
|
|
+ throw rfb::Exception("Invalid PixelBuffer width of %d pixels requested", width);
|
|
+ if ((height < 0) || (height > maxPixelBufferHeight))
|
|
+ throw rfb::Exception("Invalid PixelBuffer height of %d pixels requested", height);
|
|
+
|
|
width_ = width;
|
|
height_ = height;
|
|
}
|
|
@@ -340,6 +353,15 @@ const rdr::U8* FullFramePixelBuffer::getBuffer(const Rect& r, int* stride_) cons
|
|
void FullFramePixelBuffer::setBuffer(int width, int height,
|
|
rdr::U8* data_, int stride_)
|
|
{
|
|
+ if ((width < 0) || (width > maxPixelBufferWidth))
|
|
+ throw rfb::Exception("Invalid PixelBuffer width of %d pixels requested", width);
|
|
+ if ((height < 0) || (height > maxPixelBufferHeight))
|
|
+ throw rfb::Exception("Invalid PixelBuffer height of %d pixels requested", height);
|
|
+ if ((stride_ < 0) || (stride_ > maxPixelBufferStride) || (stride_ < width))
|
|
+ throw rfb::Exception("Invalid PixelBuffer stride of %d pixels requested", stride_);
|
|
+ if ((width != 0) && (height != 0) && (data_ == NULL))
|
|
+ throw rfb::Exception("PixelBuffer requested without a valid memory area");
|
|
+
|
|
ModifiablePixelBuffer::setSize(width, height);
|
|
stride = stride_;
|
|
data = data_;
|
|
--
|
|
2.16.4
|
|
|