rpms / libvncserver

Clone
Source Code
GIT

Blame SOURCES/LibVNCServer-0.9.10-CVE-2014-6053.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s
  1.   41da016124876426bcc647777b7e5a7ca854690f
  2.   SOURCES
  3.   LibVNCServer-0.9.10-CVE-2014-6053.patch
Blob History Raw
41da01 
commit 6037a9074d52b1963c97cb28ea1096c7c14cbf28
41da01 
Author: Nicolas Ruff <nruff@google.com>
41da01 
Date:   Mon Aug 18 15:16:16 2014 +0200
41da01
41da01 
    Check malloc() return value on client->server ClientCutText message. Client can send up to 2**32-1 bytes of text, and such a large allocation is likely to fail in case of high memory pressure. This would in a server crash (write at address 0).
41da01
41da01 
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
41da01 
index 5f3b31d..7e43fe3 100644
41da01 
--- a/libvncserver/rfbserver.c
41da01 
+++ b/libvncserver/rfbserver.c
41da01 
@@ -2461,6 +2461,11 @@ rfbProcessClientNormalMessage(rfbClientPtr cl)
41da01 
 	msg.cct.length = Swap32IfLE(msg.cct.length);
41da01
41da01 
 	str = (char *)malloc(msg.cct.length);
41da01 
+	if (str == NULL) {
41da01 
+		rfbLogPerror("rfbProcessClientNormalMessage: not enough memory");
41da01 
+		rfbCloseClient(cl);
41da01 
+		return;
41da01 
+	}
41da01
41da01 
 	if ((n = rfbReadExact(cl, str, msg.cct.length)) <= 0) {
41da01 
 	    if (n != 0)

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation