forked from pool/tigervnc
fffdcfbc39
- Update to tigervnc 1.4.1 on xorg-server 1.16.1. OBS-URL: https://build.opensuse.org/request/show/280582 OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/tigervnc?expand=0&rev=46
79 lines
2.5 KiB
Diff
79 lines
2.5 KiB
Diff
Patch-Mainline: To be upstreamed
|
|
References: bnc#900896 CVE-2014-8240
|
|
Signed-off-by: Michal Srb <msrb@suse.com>
|
|
|
|
Index: tigervnc-1.4.1/unix/x0vncserver/Image.cxx
|
|
===================================================================
|
|
--- tigervnc-1.4.1.orig/unix/x0vncserver/Image.cxx
|
|
+++ tigervnc-1.4.1/unix/x0vncserver/Image.cxx
|
|
@@ -80,6 +80,14 @@ void Image::Init(int width, int height)
|
|
xim = XCreateImage(dpy, vis, DefaultDepth(dpy, DefaultScreen(dpy)),
|
|
ZPixmap, 0, 0, width, height, BitmapPad(dpy), 0);
|
|
|
|
+ if (xim->bytes_per_line <= 0 ||
|
|
+ xim->height <= 0 ||
|
|
+ xim->height >= INT_MAX / xim->bytes_per_line) {
|
|
+ vlog.error("Invalid display size");
|
|
+ XDestroyImage(xim);
|
|
+ exit(1);
|
|
+ }
|
|
+
|
|
xim->data = (char *)malloc(xim->bytes_per_line * xim->height);
|
|
if (xim->data == NULL) {
|
|
vlog.error("malloc() failed");
|
|
@@ -254,6 +262,17 @@ void ShmImage::Init(int width, int heigh
|
|
delete shminfo;
|
|
shminfo = NULL;
|
|
return;
|
|
+ }
|
|
+
|
|
+ if (xim->bytes_per_line <= 0 ||
|
|
+ xim->height <= 0 ||
|
|
+ xim->height >= INT_MAX / xim->bytes_per_line) {
|
|
+ vlog.error("Invalid display size");
|
|
+ XDestroyImage(xim);
|
|
+ xim = NULL;
|
|
+ delete shminfo;
|
|
+ shminfo = NULL;
|
|
+ return;
|
|
}
|
|
|
|
shminfo->shmid = shmget(IPC_PRIVATE,
|
|
Index: tigervnc-1.4.1/vncviewer/X11PixelBuffer.cxx
|
|
===================================================================
|
|
--- tigervnc-1.4.1.orig/vncviewer/X11PixelBuffer.cxx
|
|
+++ tigervnc-1.4.1/vncviewer/X11PixelBuffer.cxx
|
|
@@ -106,6 +106,15 @@ X11PixelBuffer::X11PixelBuffer(int width
|
|
if (!xim)
|
|
throw rfb::Exception(_("Could not create framebuffer image"));
|
|
|
|
+ if (xim->bytes_per_line <= 0 ||
|
|
+ xim->height <= 0 ||
|
|
+ xim->height >= INT_MAX / xim->bytes_per_line) {
|
|
+ if (xim)
|
|
+ XDestroyImage(xim);
|
|
+ xim = NULL;
|
|
+ throw rfb::Exception("Invalid display size");
|
|
+ }
|
|
+
|
|
xim->data = (char*)malloc(xim->bytes_per_line * xim->height);
|
|
if (!xim->data)
|
|
throw rfb::Exception(_("Not enough memory for framebuffer"));
|
|
@@ -172,6 +181,16 @@ int X11PixelBuffer::setupShm()
|
|
if (!xim)
|
|
goto free_shminfo;
|
|
|
|
+ if (xim->bytes_per_line <= 0 ||
|
|
+ xim->height <= 0 ||
|
|
+ xim->height >= INT_MAX / xim->bytes_per_line) {
|
|
+ XDestroyImage(xim);
|
|
+ xim = NULL;
|
|
+ delete shminfo;
|
|
+ shminfo = NULL;
|
|
+ throw rfb::Exception("Invalid display size");
|
|
+ }
|
|
+
|
|
shminfo->shmid = shmget(IPC_PRIVATE,
|
|
xim->bytes_per_line * xim->height,
|
|
IPC_CREAT|0777);
|