tigervnc/0003-Restrict-PixelBuffer-dimensions-to-safe-values.patch

From 996356b6c65ca165ee1ea46a571c32a1dc3c3821 Mon Sep 17 00:00:00 2001
From: Pierre Ossman <ossman@cendio.se>
Date: Tue, 10 Sep 2019 15:21:03 +0200
Subject: [PATCH] Restrict PixelBuffer dimensions to safe values

We do a lot of calculations based on pixel coordinates and we need
to make sure they do not overflow. Restrict the maximum dimensions
we support rather than try to switch over all calculations to use
64 bit integers.

This prevents attackers from from injecting code by specifying a
huge framebuffer size and relying on the values overflowing to
access invalid areas of the heap.

This primarily affects the client which gets both the screen
dimensions and the pixel contents from the remote side. But the
server might also be affected as a client can adjust the screen
dimensions, as can applications inside the session.

Issue found by Pavel Cheremushkin from Kaspersky Lab.
---
 common/rfb/PixelBuffer.cxx | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/common/rfb/PixelBuffer.cxx b/common/rfb/PixelBuffer.cxx
index 0aa67744..fe406b96 100644
--- a/common/rfb/PixelBuffer.cxx
+++ b/common/rfb/PixelBuffer.cxx
@@ -31,6 +31,14 @@ using namespace rdr;
 
 static LogWriter vlog("PixelBuffer");
 
+// We do a lot of byte offset calculations that assume the result fits
+// inside a signed 32 bit integer. Limit the maximum size of pixel
+// buffers so that these calculations never overflow.
+
+const int maxPixelBufferWidth = 16384;
+const int maxPixelBufferHeight = 16384;
+const int maxPixelBufferStride = 16384;
+
 
 // -=- Generic pixel buffer class
 
@@ -108,6 +116,11 @@ void PixelBuffer::getImage(const PixelFormat& pf, void* imageBuf,
 
 void PixelBuffer::setSize(int width, int height)
 {
+  if ((width < 0) || (width > maxPixelBufferWidth))
+    throw rfb::Exception("Invalid PixelBuffer width of %d pixels requested", width);
+  if ((height < 0) || (height > maxPixelBufferHeight))
+    throw rfb::Exception("Invalid PixelBuffer height of %d pixels requested", height);
+
   width_ = width;
   height_ = height;
 }
@@ -340,6 +353,15 @@ const rdr::U8* FullFramePixelBuffer::getBuffer(const Rect& r, int* stride_) cons
 void FullFramePixelBuffer::setBuffer(int width, int height,
                                      rdr::U8* data_, int stride_)
 {
+  if ((width < 0) || (width > maxPixelBufferWidth))
+    throw rfb::Exception("Invalid PixelBuffer width of %d pixels requested", width);
+  if ((height < 0) || (height > maxPixelBufferHeight))
+    throw rfb::Exception("Invalid PixelBuffer height of %d pixels requested", height);
+  if ((stride_ < 0) || (stride_ > maxPixelBufferStride) || (stride_ < width))
+    throw rfb::Exception("Invalid PixelBuffer stride of %d pixels requested", stride_);
+  if ((width != 0) && (height != 0) && (data_ == NULL))
+    throw rfb::Exception("PixelBuffer requested without a valid memory area");
+
   ModifiablePixelBuffer::setSize(width, height);
   stride = stride_;
   data = data_;
-- 
2.16.4
- TigerVNC security fix: 0001-Make-ZlibInStream-more-robust-against-failures.patch 0002-Encapsulate-PixelBuffer-internal-details.patch 0003-Restrict-PixelBuffer-dimensions-to-safe-values.patch 0004-Add-write-protection-to-OffsetPixelBuffer.patch 0005-Handle-empty-Tight-gradient-rects.patch 0006-Add-unit-test-for-PixelFormat-sanity-checks.patch 0007-Fix-depth-sanity-test-in-PixelFormat.patch 0008-Add-sanity-checks-for-PixelFormat-shift-values.patch 0009-Remove-unused-FixedMemOutStream.patch 0010-Use-size_t-for-lengths-in-stream-objects.patch 0011-Be-defensive-about-overflows-in-stream-objects.patch 0012-Add-unit-tests-for-PixelFormat.is888-detection.patch 0013-Handle-pixel-formats-with-odd-shift-values.patch * stack use-after-return due to incorrect usage of stack memory in ZRLEDecoder (CVE-2019-15691, bsc#1159856) * improper value checks in CopyRectDecode may lead to heap buffer overflow (CVE-2019-15692, bsc#1160250) * heap buffer overflow in TightDecoder::FilterGradient (CVE-2019-15693, bsc#1159858) * improper error handling in processing MemOutStream may lead to heap buffer overflow (CVE-2019-15694, bsc#1160251 * stack buffer overflow, which could be triggered from CMsgReader::readSetCurso (CVE-2019-15695, bsc#1159860) OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/tigervnc?expand=0&rev=168 2020-01-07 17:03:18 +01:00			`From 996356b6c65ca165ee1ea46a571c32a1dc3c3821 Mon Sep 17 00:00:00 2001`
			`From: Pierre Ossman <ossman@cendio.se>`
			`Date: Tue, 10 Sep 2019 15:21:03 +0200`
			`Subject: [PATCH] Restrict PixelBuffer dimensions to safe values`

			`We do a lot of calculations based on pixel coordinates and we need`
			`to make sure they do not overflow. Restrict the maximum dimensions`
			`we support rather than try to switch over all calculations to use`
			`64 bit integers.`

			`This prevents attackers from from injecting code by specifying a`
			`huge framebuffer size and relying on the values overflowing to`
			`access invalid areas of the heap.`

			`This primarily affects the client which gets both the screen`
			`dimensions and the pixel contents from the remote side. But the`
			`server might also be affected as a client can adjust the screen`
			`dimensions, as can applications inside the session.`

			`Issue found by Pavel Cheremushkin from Kaspersky Lab.`
			`---`
			`common/rfb/PixelBuffer.cxx \| 22 ++++++++++++++++++++++`
			`1 file changed, 22 insertions(+)`

			`diff --git a/common/rfb/PixelBuffer.cxx b/common/rfb/PixelBuffer.cxx`
			`index 0aa67744..fe406b96 100644`
			`--- a/common/rfb/PixelBuffer.cxx`
			`+++ b/common/rfb/PixelBuffer.cxx`
			`@@ -31,6 +31,14 @@ using namespace rdr;`

			`static LogWriter vlog("PixelBuffer");`

			`+// We do a lot of byte offset calculations that assume the result fits`
			`+// inside a signed 32 bit integer. Limit the maximum size of pixel`
			`+// buffers so that these calculations never overflow.`
			`+`
			`+const int maxPixelBufferWidth = 16384;`
			`+const int maxPixelBufferHeight = 16384;`
			`+const int maxPixelBufferStride = 16384;`
			`+`

			`// -=- Generic pixel buffer class`

			`@@ -108,6 +116,11 @@ void PixelBuffer::getImage(const PixelFormat& pf, void* imageBuf,`

			`void PixelBuffer::setSize(int width, int height)`
			`{`
			`+ if ((width < 0) \|\| (width > maxPixelBufferWidth))`
			`+ throw rfb::Exception("Invalid PixelBuffer width of %d pixels requested", width);`
			`+ if ((height < 0) \|\| (height > maxPixelBufferHeight))`
			`+ throw rfb::Exception("Invalid PixelBuffer height of %d pixels requested", height);`
			`+`
			`width_ = width;`
			`height_ = height;`
			`}`
			`@@ -340,6 +353,15 @@ const rdr::U8* FullFramePixelBuffer::getBuffer(const Rect& r, int* stride_) cons`
			`void FullFramePixelBuffer::setBuffer(int width, int height,`
			`rdr::U8* data_, int stride_)`
			`{`
			`+ if ((width < 0) \|\| (width > maxPixelBufferWidth))`
			`+ throw rfb::Exception("Invalid PixelBuffer width of %d pixels requested", width);`
			`+ if ((height < 0) \|\| (height > maxPixelBufferHeight))`
			`+ throw rfb::Exception("Invalid PixelBuffer height of %d pixels requested", height);`
			`+ if ((stride_ < 0) \|\| (stride_ > maxPixelBufferStride) \|\| (stride_ < width))`
			`+ throw rfb::Exception("Invalid PixelBuffer stride of %d pixels requested", stride_);`
			`+ if ((width != 0) && (height != 0) && (data_ == NULL))`
			`+ throw rfb::Exception("PixelBuffer requested without a valid memory area");`
			`+`
			`ModifiablePixelBuffer::setSize(width, height);`
			`stride = stride_;`
			`data = data_;`
			`--`
			`2.16.4`