SHA256
1
0
forked from pool/tigervnc
tigervnc/0006-Add-unit-test-for-PixelFormat-sanity-checks.patch
Stefan Dirsch d26ec6dbd4 - TigerVNC security fix:
0001-Make-ZlibInStream-more-robust-against-failures.patch
  0002-Encapsulate-PixelBuffer-internal-details.patch
  0003-Restrict-PixelBuffer-dimensions-to-safe-values.patch
  0004-Add-write-protection-to-OffsetPixelBuffer.patch
  0005-Handle-empty-Tight-gradient-rects.patch
  0006-Add-unit-test-for-PixelFormat-sanity-checks.patch
  0007-Fix-depth-sanity-test-in-PixelFormat.patch
  0008-Add-sanity-checks-for-PixelFormat-shift-values.patch
  0009-Remove-unused-FixedMemOutStream.patch
  0010-Use-size_t-for-lengths-in-stream-objects.patch
  0011-Be-defensive-about-overflows-in-stream-objects.patch
  0012-Add-unit-tests-for-PixelFormat.is888-detection.patch
  0013-Handle-pixel-formats-with-odd-shift-values.patch
  * stack use-after-return due to incorrect usage of stack memory
    in ZRLEDecoder (CVE-2019-15691, bsc#1159856)
  * improper value checks in CopyRectDecode may lead to heap
    buffer overflow (CVE-2019-15692, bsc#1160250)
  * heap buffer overflow in TightDecoder::FilterGradient
    (CVE-2019-15693, bsc#1159858)
  * improper error handling in processing MemOutStream may lead
    to heap buffer overflow (CVE-2019-15694, bsc#1160251
  * stack buffer overflow, which could be triggered from
    CMsgReader::readSetCurso (CVE-2019-15695, bsc#1159860)

OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/tigervnc?expand=0&rev=168
2020-01-07 16:03:18 +00:00

161 lines
4.9 KiB
Diff

From 014c5012377519d7f0add23ebac077ccd882aa9f Mon Sep 17 00:00:00 2001
From: Pierre Ossman <ossman@cendio.se>
Date: Tue, 10 Sep 2019 15:59:51 +0200
Subject: [PATCH] Add unit test for PixelFormat sanity checks
---
common/rfb/PixelFormat.cxx | 3 +-
tests/unit/CMakeLists.txt | 3 ++
tests/unit/pixelformat.cxx | 114 +++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 119 insertions(+), 1 deletion(-)
create mode 100644 tests/unit/pixelformat.cxx
diff --git a/common/rfb/PixelFormat.cxx b/common/rfb/PixelFormat.cxx
index 883b0410..0be4d1da 100644
--- a/common/rfb/PixelFormat.cxx
+++ b/common/rfb/PixelFormat.cxx
@@ -81,7 +81,8 @@ PixelFormat::PixelFormat(int b, int d, bool e, bool t,
redMax(rm), greenMax(gm), blueMax(bm),
redShift(rs), greenShift(gs), blueShift(bs)
{
- assert(isSane());
+ if (!isSane())
+ throw Exception("invalid pixel format");
updateState();
}
diff --git a/tests/unit/CMakeLists.txt b/tests/unit/CMakeLists.txt
index c847238d..acc3adcd 100644
--- a/tests/unit/CMakeLists.txt
+++ b/tests/unit/CMakeLists.txt
@@ -8,3 +8,6 @@ target_link_libraries(convertlf rfb)
add_executable(hostport hostport.cxx)
target_link_libraries(hostport rfb)
+
+add_executable(pixelformat pixelformat.cxx)
+target_link_libraries(pixelformat rfb)
diff --git a/tests/unit/pixelformat.cxx b/tests/unit/pixelformat.cxx
new file mode 100644
index 00000000..4eb45281
--- /dev/null
+++ b/tests/unit/pixelformat.cxx
@@ -0,0 +1,114 @@
+/* Copyright 2019 Pierre Ossman <ossman@cendio.se> for Cendio AB
+ *
+ * This is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this software; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+ * USA.
+ */
+
+#include <stdio.h>
+
+#include <rfb/PixelFormat.h>
+#include <rfb/Exception.h>
+
+static void doTest(bool should_fail, int b, int d, bool e, bool t,
+ int rm, int gm, int bm, int rs, int gs, int bs)
+{
+ rfb::PixelFormat* pf;
+
+ printf("PixelFormat(%d, %d, %s, %s, %d, %d, %d, %d, %d, %d): ",
+ b, d, e ? "true" : "false", t ? "true": "false",
+ rm, gm, bm, rs, gs, bs);
+
+ try {
+ pf = new rfb::PixelFormat(b, d, e, t, rm, gm, bm, rs, gs, bs);
+ } catch(rfb::Exception &e) {
+ if (should_fail)
+ printf("OK");
+ else
+ printf("FAILED");
+ printf("\n");
+ fflush(stdout);
+ return;
+ }
+
+ delete pf;
+
+ if (should_fail)
+ printf("FAILED");
+ else
+ printf("OK");
+ printf("\n");
+ fflush(stdout);
+}
+
+int main(int argc, char** argv)
+{
+ /* Normal true color formats */
+
+ doTest(false, 32, 24, false, true, 255, 255, 255, 0, 8, 16);
+ doTest(false, 32, 24, false, true, 255, 255, 255, 24, 16, 8);
+
+ doTest(false, 16, 16, false, true, 15, 31, 15, 0, 5, 11);
+
+ doTest(false, 8, 8, false, true, 3, 7, 3, 0, 2, 5);
+
+ /* Excessive bpp */
+
+ doTest(false, 32, 16, false, true, 15, 31, 15, 0, 5, 11);
+
+ doTest(false, 16, 16, false, true, 15, 31, 15, 0, 5, 11);
+
+ doTest(false, 32, 8, false, true, 3, 7, 3, 0, 2, 5);
+
+ doTest(false, 16, 8, false, true, 3, 7, 3, 0, 2, 5);
+
+ /* Colour map */
+
+ doTest(false, 8, 8, false, false, 0, 0, 0, 0, 0, 0);
+
+ /* Invalid bpp */
+
+ doTest(true, 64, 24, false, true, 255, 255, 255, 0, 8, 16);
+
+ doTest(true, 18, 16, false, true, 15, 31, 15, 0, 5, 11);
+
+ doTest(true, 3, 3, false, true, 1, 1, 1, 0, 1, 2);
+
+ /* Invalid depth */
+
+ doTest(true, 16, 24, false, true, 15, 31, 15, 0, 5, 11);
+
+ doTest(true, 8, 24, false, true, 3, 7, 3, 0, 2, 5);
+ doTest(true, 8, 16, false, true, 3, 7, 3, 0, 2, 5);
+
+ doTest(true, 32, 24, false, false, 0, 0, 0, 0, 0, 0);
+
+ /* Invalid max values */
+
+ doTest(true, 32, 24, false, true, 254, 255, 255, 0, 8, 16);
+ doTest(true, 32, 24, false, true, 255, 253, 255, 0, 8, 16);
+ doTest(true, 32, 24, false, true, 255, 255, 252, 0, 8, 16);
+
+ doTest(true, 32, 24, false, true, 511, 127, 127, 0, 16, 20);
+ doTest(true, 32, 24, false, true, 127, 511, 127, 0, 4, 20);
+ doTest(true, 32, 24, false, true, 127, 127, 511, 0, 4, 8);
+
+ /* Overlapping channels */
+
+ doTest(true, 32, 24, false, true, 255, 255, 255, 0, 7, 16);
+ doTest(true, 32, 24, false, true, 255, 255, 255, 0, 8, 15);
+ doTest(true, 32, 24, false, true, 255, 255, 255, 0, 16, 7);
+
+ return 0;
+}
--
2.16.4