tigervnc/0007-Fix-depth-sanity-test-in-PixelFormat.patch
Stefan Dirsch d26ec6dbd4 - TigerVNC security fix:
0001-Make-ZlibInStream-more-robust-against-failures.patch
  0002-Encapsulate-PixelBuffer-internal-details.patch
  0003-Restrict-PixelBuffer-dimensions-to-safe-values.patch
  0004-Add-write-protection-to-OffsetPixelBuffer.patch
  0005-Handle-empty-Tight-gradient-rects.patch
  0006-Add-unit-test-for-PixelFormat-sanity-checks.patch
  0007-Fix-depth-sanity-test-in-PixelFormat.patch
  0008-Add-sanity-checks-for-PixelFormat-shift-values.patch
  0009-Remove-unused-FixedMemOutStream.patch
  0010-Use-size_t-for-lengths-in-stream-objects.patch
  0011-Be-defensive-about-overflows-in-stream-objects.patch
  0012-Add-unit-tests-for-PixelFormat.is888-detection.patch
  0013-Handle-pixel-formats-with-odd-shift-values.patch
  * stack use-after-return due to incorrect usage of stack memory
    in ZRLEDecoder (CVE-2019-15691, bsc#1159856)
  * improper value checks in CopyRectDecode may lead to heap
    buffer overflow (CVE-2019-15692, bsc#1160250)
  * heap buffer overflow in TightDecoder::FilterGradient
    (CVE-2019-15693, bsc#1159858)
  * improper error handling in processing MemOutStream may lead
    to heap buffer overflow (CVE-2019-15694, bsc#1160251
  * stack buffer overflow, which could be triggered from
    CMsgReader::readSetCurso (CVE-2019-15695, bsc#1159860)

OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/tigervnc?expand=0&rev=168
2020-01-07 16:03:18 +00:00

42 lines
1.3 KiB
Diff

From f1b9b868ec943d51ef631f53a095d48d3f178f4f Mon Sep 17 00:00:00 2001
From: Pierre Ossman <ossman@cendio.se>
Date: Tue, 10 Sep 2019 16:01:44 +0200
Subject: [PATCH] Fix depth sanity test in PixelFormat
---
common/rfb/PixelFormat.cxx | 2 +-
tests/unit/pixelformat.cxx | 4 ++++
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/common/rfb/PixelFormat.cxx b/common/rfb/PixelFormat.cxx
index 0be4d1da..2d8142d1 100644
--- a/common/rfb/PixelFormat.cxx
+++ b/common/rfb/PixelFormat.cxx
@@ -679,7 +679,7 @@ bool PixelFormat::isSane(void)
return false;
totalBits = bits(redMax) + bits(greenMax) + bits(blueMax);
- if (totalBits > bpp)
+ if (totalBits > depth)
return false;
if (((redMax << redShift) & (greenMax << greenShift)) != 0)
diff --git a/tests/unit/pixelformat.cxx b/tests/unit/pixelformat.cxx
index 4eb45281..7b6087f7 100644
--- a/tests/unit/pixelformat.cxx
+++ b/tests/unit/pixelformat.cxx
@@ -104,6 +104,10 @@ int main(int argc, char** argv)
doTest(true, 32, 24, false, true, 127, 511, 127, 0, 4, 20);
doTest(true, 32, 24, false, true, 127, 127, 511, 0, 4, 8);
+ /* Insufficient depth */
+
+ doTest(true, 32, 16, false, true, 255, 255, 255, 0, 8, 16);
+
/* Overlapping channels */
doTest(true, 32, 24, false, true, 255, 255, 255, 0, 7, 16);
--
2.16.4