Group :: Rede/Acesso Remoto
RPM: tigervnc
Main Changelog Spec Patches Sources Download Gear Bugs e FR Repocop
Patch: Ubuntu-CVE-2014-8240-849479.patch
Download
Download
Description: Fix integer overflow in TigerVNC that allowed remote VNC servers to cause a denial of service (crash).
Author: Tim Waugh
Abstract:
Fix integer overflow in TigerVNC that allowed remote VNC servers to
cause a denial of service (crash) and possibly execute arbitrary code
via vectors related to screen size handling, which triggered a heap-based
buffer overflow, a similar issue to CVE-2014-6051.
.
This issue is CVE-2014-8240.
Index: pkg-tigervnc/unix/x0vncserver/Image.cxx
===================================================================
--- pkg-tigervnc.orig/unix/x0vncserver/Image.cxx
+++ pkg-tigervnc/unix/x0vncserver/Image.cxx
@@ -82,6 +82,14 @@ void Image::Init(int width, int height)
xim = XCreateImage(dpy, vis, DefaultDepth(dpy, DefaultScreen(dpy)),
ZPixmap, 0, 0, width, height, BitmapPad(dpy), 0);
+ if (xim->bytes_per_line <= 0 ||
+ xim->height <= 0 ||
+ xim->height >= INT_MAX / xim->bytes_per_line) {
+ vlog.error("Invalid display size");
+ XDestroyImage(xim);
+ exit(1);
+ }
+
xim->data = (char *)malloc(xim->bytes_per_line * xim->height);
if (xim->data == NULL) {
vlog.error("malloc() failed");
@@ -257,6 +265,17 @@ void ShmImage::Init(int width, int heigh
delete shminfo;
shminfo = NULL;
return;
+ }
+
+ if (xim->bytes_per_line <= 0 ||
+ xim->height <= 0 ||
+ xim->height >= INT_MAX / xim->bytes_per_line) {
+ vlog.error("Invalid display size");
+ XDestroyImage(xim);
+ xim = NULL;
+ delete shminfo;
+ shminfo = NULL;
+ return;
}
shminfo->shmid = shmget(IPC_PRIVATE,
Index: pkg-tigervnc/vncviewer/PlatformPixelBuffer.cxx
===================================================================
--- pkg-tigervnc.orig/vncviewer/PlatformPixelBuffer.cxx
+++ pkg-tigervnc/vncviewer/PlatformPixelBuffer.cxx
@@ -49,6 +49,15 @@ PlatformPixelBuffer::PlatformPixelBuffer
if (!xim)
throw rdr::Exception("XCreateImage");
+ if (xim->bytes_per_line <= 0 ||
+ xim->height <= 0 ||
+ xim->height >= INT_MAX / xim->bytes_per_line) {
+ if (xim)
+ XDestroyImage(xim);
+ xim = NULL;
+ throw rdr::Exception("Invalid display size");
+ }
+
xim->data = (char*)malloc(xim->bytes_per_line * xim->height);
if (!xim->data)
throw rdr::Exception("malloc");
@@ -157,6 +166,16 @@ bool PlatformPixelBuffer::setupShm()
if (!xim)
goto free_shminfo;
+ if (xim->bytes_per_line <= 0 ||
+ xim->height <= 0 ||
+ xim->height >= INT_MAX / xim->bytes_per_line) {
+ XDestroyImage(xim);
+ xim = NULL;
+ delete shminfo;
+ shminfo = NULL;
+ throw rdr::Exception("Invalid display size");
+ }
+
shminfo->shmid = shmget(IPC_PRIVATE,
xim->bytes_per_line * xim->height,
IPC_CREAT|0600);