|
 |
80465d |
Backport of:
|
|
|
80465d |
From 0cf1400c61850065de590d403f6d49e32882fd76 Mon Sep 17 00:00:00 2001
|
|
|
80465d |
From: Rolf Eike Beer <eike@sf-mail.de>
|
|
|
80465d |
Date: Tue, 28 May 2019 18:30:46 +0200
|
|
|
80465d |
Subject: [PATCH] fix crash because of unaligned accesses in
|
|
|
80465d |
hybiReadAndDecode()
|
|
|
80465d |
|
|
|
80465d |
[Ubuntu note: patch backported to apply on libvncserver/websockets.c instead of
|
|
|
80465d |
libvncserver/ws_decode.c
|
|
|
80465d |
-- Avital]
|
|
|
80465d |
|
|
|
80465d |
---
|
|
|
80465d |
libvncserver/ws_decode.c | 7 ++++---
|
|
|
80465d |
1 file changed, 4 insertions(+), 3 deletions(-)
|
|
|
80465d |
|
|
|
80465d |
--- a/libvncserver/websockets.c
|
|
|
80465d |
+++ b/libvncserver/websockets.c
|
|
|
80465d |
@@ -880,7 +880,6 @@ hybiReadAndDecode(rfbClientPtr cl, char
|
|
|
80465d |
int bufsize;
|
|
|
80465d |
int nextRead;
|
|
|
80465d |
unsigned char *data;
|
|
|
80465d |
- uint32_t *data32;
|
|
|
80465d |
ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx;
|
|
|
80465d |
|
|
|
80465d |
/* if data was carried over, copy to start of buffer */
|
|
|
80465d |
@@ -938,10 +937,12 @@ hybiReadAndDecode(rfbClientPtr cl, char
|
|
|
80465d |
/* for a possible base64 decoding, we decode multiples of 4 bytes until
|
|
|
80465d |
* the whole frame is received and carry over any remaining bytes in the carry buf*/
|
|
|
80465d |
data = (unsigned char *)hybiPayloadStart(wsctx);
|
|
|
80465d |
- data32= (uint32_t *)data;
|
|
|
80465d |
|
|
|
80465d |
for (i = 0; i < (toDecode >> 2); i++) {
|
|
|
80465d |
- data32[i] ^= wsctx->header.mask.u;
|
|
|
80465d |
+ uint32_t tmp;
|
|
|
80465d |
+ memcpy(&tmp, data + i * sizeof(tmp), sizeof(tmp));
|
|
|
80465d |
+ tmp ^= wsctx->header.mask.u;
|
|
|
80465d |
+ memcpy(data + i * sizeof(tmp), &tmp, sizeof(tmp));
|
|
|
80465d |
}
|
|
|
80465d |
rfbLog("mask decoding; i=%d toDecode=%d\n", i, toDecode);
|
|
|
80465d |
|