|
 |
e0f39d |
From 161a1d5c884f5d4c4be9522acbab8f16cb6fd7eb Mon Sep 17 00:00:00 2001
|
|
|
e0f39d |
From: newsoft <newsoft@MacBook-Air-de-newsoft-2.local>
|
|
|
e0f39d |
Date: Fri, 31 Oct 2014 12:46:28 +0100
|
|
|
e0f39d |
Subject: [PATCH] Check for MallocFrameBuffer() return value
|
|
|
e0f39d |
MIME-Version: 1.0
|
|
|
e0f39d |
Content-Type: text/plain; charset=UTF-8
|
|
|
e0f39d |
Content-Transfer-Encoding: 8bit
|
|
|
e0f39d |
|
|
|
e0f39d |
If MallocFrameBuffer() returns FALSE, frame buffer pointer is left to
|
|
|
e0f39d |
NULL. Subsequent writes into that buffer could lead to memory
|
|
|
e0f39d |
corruption, or even arbitrary code execution.
|
|
|
e0f39d |
|
|
|
e0f39d |
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
|
|
e0f39d |
---
|
|
|
e0f39d |
libvncclient/rfbproto.c | 10 +++++++---
|
|
|
e0f39d |
libvncclient/vncviewer.c | 3 ++-
|
|
|
e0f39d |
2 files changed, 9 insertions(+), 4 deletions(-)
|
|
|
e0f39d |
|
|
|
e0f39d |
diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
|
|
|
e0f39d |
index 3ecc011..beb87fc 100644
|
|
|
e0f39d |
--- a/libvncclient/rfbproto.c
|
|
|
e0f39d |
+++ b/libvncclient/rfbproto.c
|
|
|
e0f39d |
@@ -1807,7 +1807,8 @@ HandleRFBServerMessage(rfbClient* client)
|
|
|
e0f39d |
client->updateRect.x = client->updateRect.y = 0;
|
|
|
e0f39d |
client->updateRect.w = client->width;
|
|
|
e0f39d |
client->updateRect.h = client->height;
|
|
|
e0f39d |
- client->MallocFrameBuffer(client);
|
|
|
e0f39d |
+ if (!client->MallocFrameBuffer(client))
|
|
|
e0f39d |
+ return FALSE;
|
|
|
e0f39d |
SendFramebufferUpdateRequest(client, 0, 0, rect.r.w, rect.r.h, FALSE);
|
|
|
e0f39d |
rfbClientLog("Got new framebuffer size: %dx%d\n", rect.r.w, rect.r.h);
|
|
|
e0f39d |
continue;
|
|
|
e0f39d |
@@ -2260,7 +2261,8 @@ HandleRFBServerMessage(rfbClient* client)
|
|
|
e0f39d |
client->updateRect.x = client->updateRect.y = 0;
|
|
|
e0f39d |
client->updateRect.w = client->width;
|
|
|
e0f39d |
client->updateRect.h = client->height;
|
|
|
e0f39d |
- client->MallocFrameBuffer(client);
|
|
|
e0f39d |
+ if (!client->MallocFrameBuffer(client))
|
|
|
e0f39d |
+ return FALSE;
|
|
|
e0f39d |
SendFramebufferUpdateRequest(client, 0, 0, client->width, client->height, FALSE);
|
|
|
e0f39d |
rfbClientLog("Got new framebuffer size: %dx%d\n", client->width, client->height);
|
|
|
e0f39d |
break;
|
|
|
e0f39d |
@@ -2276,7 +2278,9 @@ HandleRFBServerMessage(rfbClient* client)
|
|
|
e0f39d |
client->updateRect.x = client->updateRect.y = 0;
|
|
|
e0f39d |
client->updateRect.w = client->width;
|
|
|
e0f39d |
client->updateRect.h = client->height;
|
|
|
e0f39d |
- client->MallocFrameBuffer(client);
|
|
|
e0f39d |
+ if (!client->MallocFrameBuffer(client))
|
|
|
e0f39d |
+ return FALSE;
|
|
|
e0f39d |
+
|
|
|
e0f39d |
SendFramebufferUpdateRequest(client, 0, 0, client->width, client->height, FALSE);
|
|
|
e0f39d |
rfbClientLog("Got new framebuffer size: %dx%d\n", client->width, client->height);
|
|
|
e0f39d |
break;
|
|
|
e0f39d |
diff --git a/libvncclient/vncviewer.c b/libvncclient/vncviewer.c
|
|
|
e0f39d |
index b2cce2b..978a9a7 100644
|
|
|
e0f39d |
--- a/libvncclient/vncviewer.c
|
|
|
e0f39d |
+++ b/libvncclient/vncviewer.c
|
|
|
e0f39d |
@@ -243,7 +243,8 @@ static rfbBool rfbInitConnection(rfbClient* client)
|
|
|
e0f39d |
|
|
|
e0f39d |
client->width=client->si.framebufferWidth;
|
|
|
e0f39d |
client->height=client->si.framebufferHeight;
|
|
|
e0f39d |
- client->MallocFrameBuffer(client);
|
|
|
e0f39d |
+ if (!client->MallocFrameBuffer(client))
|
|
|
e0f39d |
+ return FALSE;
|
|
|
e0f39d |
|
|
|
e0f39d |
if (!SetFormatAndEncodings(client))
|
|
|
e0f39d |
return FALSE;
|
|
|
e0f39d |
--
|
|
|
e0f39d |
1.9.3
|
|
|
e0f39d |
|