rpms / libvncserver

Clone
Source Code
GIT

Blame SOURCES/libvncserver-0.9.11-CVE-2019-20840.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s
  1.   c8
  2.   SOURCES
  3.   libvncserver-0.9.11-CVE-2019-20840.patch
Blob History Raw
9ca2f2 
Backport of:
9ca2f2 
From 0cf1400c61850065de590d403f6d49e32882fd76 Mon Sep 17 00:00:00 2001
9ca2f2 
From: Rolf Eike Beer <eike@sf-mail.de>
9ca2f2 
Date: Tue, 28 May 2019 18:30:46 +0200
9ca2f2 
Subject: [PATCH] fix crash because of unaligned accesses in
9ca2f2 
 hybiReadAndDecode()
9ca2f2
9ca2f2 
[Ubuntu note: patch backported to apply on libvncserver/websockets.c instead of
9ca2f2 
libvncserver/ws_decode.c
9ca2f2 
 -- Avital]
9ca2f2
9ca2f2 
---
9ca2f2 
 libvncserver/ws_decode.c | 7 ++++---
9ca2f2 
 1 file changed, 4 insertions(+), 3 deletions(-)
9ca2f2
9ca2f2 
--- a/libvncserver/websockets.c
9ca2f2 
+++ b/libvncserver/websockets.c
9ca2f2 
@@ -880,7 +880,6 @@ hybiReadAndDecode(rfbClientPtr cl, char
9ca2f2 
   int bufsize;
9ca2f2 
   int nextRead;
9ca2f2 
   unsigned char *data;
9ca2f2 
-  uint32_t *data32;
9ca2f2 
   ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx;
9ca2f2
9ca2f2 
   /* if data was carried over, copy to start of buffer */
9ca2f2 
@@ -938,10 +937,12 @@ hybiReadAndDecode(rfbClientPtr cl, char
9ca2f2 
   /* for a possible base64 decoding, we decode multiples of 4 bytes until
9ca2f2 
    * the whole frame is received and carry over any remaining bytes in the carry buf*/
9ca2f2 
   data = (unsigned char *)hybiPayloadStart(wsctx);
9ca2f2 
-  data32= (uint32_t *)data;
9ca2f2
9ca2f2 
   for (i = 0; i < (toDecode >> 2); i++) {
9ca2f2 
-    data32[i] ^= wsctx->header.mask.u;
9ca2f2 
+    uint32_t tmp;
9ca2f2 
+    memcpy(&tmp, data + i * sizeof(tmp), sizeof(tmp));
9ca2f2 
+    tmp ^= wsctx->header.mask.u;
9ca2f2 
+    memcpy(data + i * sizeof(tmp), &tmp, sizeof(tmp));
9ca2f2 
   }
9ca2f2 
   rfbLog("mask decoding; i=%d toDecode=%d\n", i, toDecode);
9ca2f2

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation