Stefan Dirsch
d26ec6dbd4
0001-Make-ZlibInStream-more-robust-against-failures.patch 0002-Encapsulate-PixelBuffer-internal-details.patch 0003-Restrict-PixelBuffer-dimensions-to-safe-values.patch 0004-Add-write-protection-to-OffsetPixelBuffer.patch 0005-Handle-empty-Tight-gradient-rects.patch 0006-Add-unit-test-for-PixelFormat-sanity-checks.patch 0007-Fix-depth-sanity-test-in-PixelFormat.patch 0008-Add-sanity-checks-for-PixelFormat-shift-values.patch 0009-Remove-unused-FixedMemOutStream.patch 0010-Use-size_t-for-lengths-in-stream-objects.patch 0011-Be-defensive-about-overflows-in-stream-objects.patch 0012-Add-unit-tests-for-PixelFormat.is888-detection.patch 0013-Handle-pixel-formats-with-odd-shift-values.patch * stack use-after-return due to incorrect usage of stack memory in ZRLEDecoder (CVE-2019-15691, bsc#1159856) * improper value checks in CopyRectDecode may lead to heap buffer overflow (CVE-2019-15692, bsc#1160250) * heap buffer overflow in TightDecoder::FilterGradient (CVE-2019-15693, bsc#1159858) * improper error handling in processing MemOutStream may lead to heap buffer overflow (CVE-2019-15694, bsc#1160251 * stack buffer overflow, which could be triggered from CMsgReader::readSetCurso (CVE-2019-15695, bsc#1159860) OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/tigervnc?expand=0&rev=168
79 lines
2.5 KiB
Diff
79 lines
2.5 KiB
Diff
From b4ada8d0c6dac98c8b91fc64d112569a8ae5fb95 Mon Sep 17 00:00:00 2001
|
|
From: Pierre Ossman <ossman@cendio.se>
|
|
Date: Tue, 10 Sep 2019 15:36:42 +0200
|
|
Subject: [PATCH] Handle empty Tight gradient rects
|
|
|
|
We always assumed there would be one pixel per row so a rect with
|
|
a zero width would result in us writing to unknown memory.
|
|
|
|
This could theoretically be used by a malicious server to inject
|
|
code in to the viewer process.
|
|
|
|
Issue found by Pavel Cheremushkin from Kaspersky Lab.
|
|
---
|
|
common/rfb/tightDecode.h | 37 +++++++++++++++++++++----------------
|
|
1 file changed, 21 insertions(+), 16 deletions(-)
|
|
|
|
diff --git a/common/rfb/tightDecode.h b/common/rfb/tightDecode.h
|
|
index b6e86ed5..8f77aebd 100644
|
|
--- a/common/rfb/tightDecode.h
|
|
+++ b/common/rfb/tightDecode.h
|
|
@@ -56,15 +56,17 @@ TightDecoder::FilterGradient24(const rdr::U8 *inbuf,
|
|
int rectWidth = r.width();
|
|
|
|
for (y = 0; y < rectHeight; y++) {
|
|
- /* First pixel in a row */
|
|
- for (c = 0; c < 3; c++) {
|
|
- pix[c] = inbuf[y*rectWidth*3+c] + prevRow[c];
|
|
- thisRow[c] = pix[c];
|
|
- }
|
|
- pf.bufferFromRGB((rdr::U8*)&outbuf[y*stride], pix, 1);
|
|
+ for (x = 0; x < rectWidth; x++) {
|
|
+ /* First pixel in a row */
|
|
+ if (x == 0) {
|
|
+ for (c = 0; c < 3; c++) {
|
|
+ pix[c] = inbuf[y*rectWidth*3+c] + prevRow[c];
|
|
+ thisRow[c] = pix[c];
|
|
+ }
|
|
+ pf.bufferFromRGB((rdr::U8*)&outbuf[y*stride], pix, 1);
|
|
+ continue;
|
|
+ }
|
|
|
|
- /* Remaining pixels of a row */
|
|
- for (x = 1; x < rectWidth; x++) {
|
|
for (c = 0; c < 3; c++) {
|
|
est[c] = prevRow[x*3+c] + pix[c] - prevRow[(x-1)*3+c];
|
|
if (est[c] > 0xff) {
|
|
@@ -103,17 +105,20 @@ void TightDecoder::FilterGradient(const rdr::U8* inbuf,
|
|
int rectWidth = r.width();
|
|
|
|
for (y = 0; y < rectHeight; y++) {
|
|
- /* First pixel in a row */
|
|
- pf.rgbFromBuffer(pix, &inbuf[y*rectWidth], 1);
|
|
- for (c = 0; c < 3; c++)
|
|
- pix[c] += prevRow[c];
|
|
+ for (x = 0; x < rectWidth; x++) {
|
|
+ /* First pixel in a row */
|
|
+ if (x == 0) {
|
|
+ pf.rgbFromBuffer(pix, &inbuf[y*rectWidth], 1);
|
|
+ for (c = 0; c < 3; c++)
|
|
+ pix[c] += prevRow[c];
|
|
|
|
- memcpy(thisRow, pix, sizeof(pix));
|
|
+ memcpy(thisRow, pix, sizeof(pix));
|
|
|
|
- pf.bufferFromRGB((rdr::U8*)&outbuf[y*stride], pix, 1);
|
|
+ pf.bufferFromRGB((rdr::U8*)&outbuf[y*stride], pix, 1);
|
|
+
|
|
+ continue;
|
|
+ }
|
|
|
|
- /* Remaining pixels of a row */
|
|
- for (x = 1; x < rectWidth; x++) {
|
|
for (c = 0; c < 3; c++) {
|
|
est[c] = prevRow[x*3+c] + pix[c] - prevRow[(x-1)*3+c];
|
|
if (est[c] > 255) {
|
|
--
|
|
2.16.4
|
|
|