SHA256
1
0
forked from pool/tigervnc
tigervnc/u_tigervnc-cve-2014-8240.patch
Michal Srb db57e8e1bf - Update to tigervnc 1.8.0
* Overhaul of the Java client to match the look and behaviour of the native client
  * Initial work for multi-threaded decoding in the Java client
  * vncconfig no longer needed for clipboard with Xvnc/libvnc.so
  * vncserver has system wide config support
  * Full support for alpha cursors in Xvnc/libvnc.so and both viewers
- Removed patches:
  * U_Add-xorg-xserver-1.19-support.patch
  * U_tigervnc-fix-inetd-not-working-with-xserver-1-19.patch
  * U_tigervnc-better-check-for-screen-visibility.patch

- U_tigervnc-better-check-for-screen-visibility.patch
  * Crop operations to visible screen. (bnc#1032272)

OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/tigervnc?expand=0&rev=108
2017-05-31 11:59:52 +00:00

42 lines
1.3 KiB
Diff

Patch-Mainline: To be upstreamed
References: bnc#900896 CVE-2014-8240
Signed-off-by: Michal Srb <msrb@suse.com>
Index: tigervnc-1.8.0/unix/x0vncserver/Image.cxx
===================================================================
--- tigervnc-1.8.0.orig/unix/x0vncserver/Image.cxx
+++ tigervnc-1.8.0/unix/x0vncserver/Image.cxx
@@ -80,6 +80,14 @@ void Image::Init(int width, int height)
xim = XCreateImage(dpy, vis, DefaultDepth(dpy, DefaultScreen(dpy)),
ZPixmap, 0, 0, width, height, BitmapPad(dpy), 0);
+ if (xim->bytes_per_line <= 0 ||
+ xim->height <= 0 ||
+ xim->height >= INT_MAX / xim->bytes_per_line) {
+ vlog.error("Invalid display size");
+ XDestroyImage(xim);
+ exit(1);
+ }
+
xim->data = (char *)malloc(xim->bytes_per_line * xim->height);
if (xim->data == NULL) {
vlog.error("malloc() failed");
@@ -254,6 +262,17 @@ void ShmImage::Init(int width, int heigh
delete shminfo;
shminfo = NULL;
return;
+ }
+
+ if (xim->bytes_per_line <= 0 ||
+ xim->height <= 0 ||
+ xim->height >= INT_MAX / xim->bytes_per_line) {
+ vlog.error("Invalid display size");
+ XDestroyImage(xim);
+ xim = NULL;
+ delete shminfo;
+ shminfo = NULL;
+ return;
}
shminfo->shmid = shmget(IPC_PRIVATE,