[vino] Avoid out-of-bounds memory accesses



commit 8beefcf7792d343c10c919ee0c928c81f73b1279
Author: David King <amigadave amigadave com>
Date:   Tue Apr 26 22:31:36 2011 +0200

    Avoid out-of-bounds memory accesses
    
    This fixes two critical security vulnerabilities that lead to an
    out-of-bounds memory access with a crafted client framebuffer update
    request packet. The dimensions of the update from the packet are checked
    to ensure that they are within the screen dimensions.
    
    Thanks to Kevin Chen from the Bitblaze group for the reports in bugs
    641802 and 641803. The CVE identifiers for these vulnerabilities are
    CVE-2011-0904 and CVE-2011-0905.

 server/libvncserver/rfbserver.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)
---
diff --git a/server/libvncserver/rfbserver.c b/server/libvncserver/rfbserver.c
index 8c35853..f02a7f9 100644
--- a/server/libvncserver/rfbserver.c
+++ b/server/libvncserver/rfbserver.c
@@ -1163,6 +1163,10 @@ rfbSendFramebufferUpdate(rfbClientPtr cl,
         cl->rfbRawBytesEquivalent += (sz_rfbFramebufferUpdateRectHeader
                                       + w * (cl->format.bitsPerPixel / 8) * h);
 
+        /* Validate the rectangle given by the update packet. */
+        if (w + x > cl->screen->width || h + y > cl->screen->height)
+            goto tx_error;
+
         switch (cl->preferredEncoding) {
         case rfbEncodingRaw:
             if (!rfbSendRectEncodingRaw(cl, x, y, w, h))



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]