From 26f4b2c203d6d0ef0c8204a48dba504870c2cfdf Mon Sep 17 00:00:00 2001

From: Wim Taymans <wtaymans@redhat.com>

Date: Tue, 6 Dec 2016 10:24:03 +0100

Subject: [PATCH] vmncdec: Sanity-check width/height before using it

We will allocate a screen area of width*height*bpp bytes, however this

calculation can easily overflow if too high width or height are given

inside the stream. Nonetheless we would just assume that enough memory

was allocated, try to fill it and overwrite as much memory as wanted.

Also allocate the screen area filled with zeroes to ensure that we start

with full-black and not any random (or not so random) data.

https://scarybeastsecurity.blogspot.gr/2016/11/0day-poc-risky-design-decisions-in.html

Ideally we should just remove this plugin in favour of the one in

gst-libav, which generally seems to be of better code quality.

https://bugzilla.gnome.org/show_bug.cgi?id=774533

---

 gst/vmnc/vmncdec.c | 6 +++++-

 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/gst/vmnc/vmncdec.c b/gst/vmnc/vmncdec.c

index 08085b5..c83e315 100644

--- a/gst/vmnc/vmncdec.c

+++ b/gst/vmnc/vmncdec.c

@@ -370,7 +370,7 @@ vmnc_handle_wmvi_rectangle (GstVMncDec * dec, struct RfbRectangle *rect,

   if (dec->imagedata)

     g_free (dec->imagedata);

-  dec->imagedata = g_malloc (dec->format.width * dec->format.height *

+  dec->imagedata = g_malloc0 (dec->format.width * dec->format.height *

       dec->format.bytes_per_pixel);

   GST_DEBUG_OBJECT (dec, "Allocated image data at %p", dec->imagedata);

@@ -901,6 +901,10 @@ vmnc_handle_packet (GstVMncDec * dec, const guint8 * data, int len,

             GST_WARNING_OBJECT (dec, "Rectangle out of range, type %d", r.type);

             return ERROR_INVALID;

           }

+        } else if (r.width > 16384 || r.height > 16384) {

+          GST_WARNING_OBJECT (dec, "Width or height too high: %ux%u", r.width,

+              r.height);

+          return ERROR_INVALID;

         }

         switch (r.type) {

-- 

2.9.3