Blame SOURCES/libvncserver-0.9.11-CVE-2020-14405.patch
|
 |
80465d |
From 483dd0834167b86833ec6d756168b426ff8b4304 Mon Sep 17 00:00:00 2001
|
|
|
80465d |
From: Christian Beier <dontmind@freeshell.org>
|
|
|
80465d |
Date: Tue, 3 Nov 2020 13:44:14 -0600
|
|
|
80465d |
Subject: [PATCH] libvncclient/rfbproto: limit max textchat size
|
|
|
80465d |
|
|
|
80465d |
Addresses GitHub Security Lab (GHSL) Vulnerability Report
|
|
|
80465d |
`GHSL-2020-063`.
|
|
|
80465d |
|
|
|
80465d |
Re #275
|
|
|
80465d |
---
|
|
|
80465d |
libvncclient/rfbproto.c | 4 ++++
|
|
|
80465d |
1 file changed, 4 insertions(+)
|
|
|
80465d |
|
|
|
80465d |
diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
|
|
|
80465d |
index 94751a22..7ba00b55 100644
|
|
|
80465d |
--- a/libvncclient/rfbproto.c
|
|
|
80465d |
+++ b/libvncclient/rfbproto.c
|
|
|
80465d |
@@ -73,6 +73,8 @@
|
|
|
80465d |
# define snprintf _snprintf /* MSVC went straight to the underscored syntax */
|
|
|
80465d |
#endif
|
|
|
80465d |
|
|
|
80465d |
+#define MAX_TEXTCHAT_SIZE 10485760 /* 10MB */
|
|
|
80465d |
+
|
|
|
80465d |
/*
|
|
|
80465d |
* rfbClientLog prints a time-stamped message to the log file (stderr).
|
|
|
80465d |
*/
|
|
|
80465d |
@@ -2285,6 +2287,8 @@ HandleRFBServerMessage(rfbClient* client)
|
|
|
80465d |
client->HandleTextChat(client, (int)rfbTextChatFinished, NULL);
|
|
|
80465d |
break;
|
|
|
80465d |
default:
|
|
|
80465d |
+ if(msg.tc.length > MAX_TEXTCHAT_SIZE)
|
|
|
80465d |
+ return FALSE;
|
|
|
80465d |
buffer=malloc(msg.tc.length+1);
|
|
|
80465d |
if (!ReadFromRFBServer(client, buffer, msg.tc.length))
|
|
|
80465d |
{
|
|
|
80465d |
--
|
|
|
80465d |
2.28.0
|
|
|
80465d |
|