[vino/gnome-2-32] Avoid out-of-bounds memory accesses
- From: David King <davidk src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [vino/gnome-2-32] Avoid out-of-bounds memory accesses
- Date: Mon, 2 May 2011 16:44:23 +0000 (UTC)
commit e17bd4e369f90748654e31a4867211dc7610975d
Author: David King <amigadave amigadave com>
Date: Tue Apr 26 22:31:36 2011 +0200
Avoid out-of-bounds memory accesses
This fixes two critical security vulnerabilities that lead to an
out-of-bounds memory access with a crafted client framebuffer update
request packet. The dimensions of the update from the packet are checked
to ensure that they are within the screen dimensions.
Thanks to Kevin Chen from the Bitblaze group for the reports in bugs
641802 and 641803. The CVE identifiers for these vulnerabilities are
CVE-2011-0904 and CVE-2011-0905.
server/libvncserver/rfbserver.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
---
diff --git a/server/libvncserver/rfbserver.c b/server/libvncserver/rfbserver.c
index a0ef905..09b0e23 100644
--- a/server/libvncserver/rfbserver.c
+++ b/server/libvncserver/rfbserver.c
@@ -1163,6 +1163,10 @@ rfbSendFramebufferUpdate(rfbClientPtr cl,
cl->rfbRawBytesEquivalent += (sz_rfbFramebufferUpdateRectHeader
+ w * (cl->format.bitsPerPixel / 8) * h);
+ /* Validate the rectangle given by the update packet. */
+ if (w + x > cl->screen->width || h + y > cl->screen->height)
+ goto tx_error;
+
switch (cl->preferredEncoding) {
case rfbEncodingRaw:
if (!rfbSendRectEncodingRaw(cl, x, y, w, h))
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]