rpms / libvncserver

Clone
Source Code
GIT

Files

  1.   217285dc9042289f8bec33790343aaf1dbadc458
  2.   SOURCES
  3.   libvncserver-0.9.11-CVE-2020-14397.patch
Blob Blame History Raw 
From 416d7662a3f3ac5131014c6011bf1364d57a27e2 Mon Sep 17 00:00:00 2001
From: Tobias Junghans <tobydox@veyon.io>
Date: Tue, 3 Nov 2020 13:58:36 -0600
Subject: [PATCH] libvncserver: add missing NULL pointer checks

---
 libvncserver/rfbregion.c | 26 ++++++++++++++++----------
 libvncserver/rfbserver.c |  4 +++-
 2 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/libvncserver/rfbregion.c b/libvncserver/rfbregion.c
index 1947d7c4..1e59646a 100644
--- a/libvncserver/rfbregion.c
+++ b/libvncserver/rfbregion.c
@@ -50,24 +50,30 @@ sraSpanDup(const sraSpan *src) {
 
 static void
 sraSpanInsertAfter(sraSpan *newspan, sraSpan *after) {
-  newspan->_next = after->_next;
-  newspan->_prev = after;
-  after->_next->_prev = newspan;
-  after->_next = newspan;
+  if (newspan && after) {
+    newspan->_next = after->_next;
+    newspan->_prev = after;
+    after->_next->_prev = newspan;
+    after->_next = newspan;
+  }
 }
 
 static void
 sraSpanInsertBefore(sraSpan *newspan, sraSpan *before) {
-  newspan->_next = before;
-  newspan->_prev = before->_prev;
-  before->_prev->_next = newspan;
-  before->_prev = newspan;
+  if (newspan && before) {
+    newspan->_next = before;
+    newspan->_prev = before->_prev;
+    before->_prev->_next = newspan;
+    before->_prev = newspan;
+  }
 }
 
 static void
 sraSpanRemove(sraSpan *span) {
-  span->_prev->_next = span->_next;
-  span->_next->_prev = span->_prev;
+  if (span) {
+    span->_prev->_next = span->_next;
+    span->_next->_prev = span->_prev;
+  }
 }
 
 static void
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
index 1b4dd975..1f4230f2 100644
--- a/libvncserver/rfbserver.c
+++ b/libvncserver/rfbserver.c
@@ -218,6 +218,8 @@ rfbClientIteratorHead(rfbClientIteratorPtr i)
 rfbClientPtr
 rfbClientIteratorNext(rfbClientIteratorPtr i)
 {
+  if (!i)
+    return NULL;
   if(i->next == 0) {
     LOCK(rfbClientListMutex);
     i->next = i->screen->clientHead;
@@ -242,7 +244,7 @@ rfbClientIteratorNext(rfbClientIteratorPtr i)
 void
 rfbReleaseClientIterator(rfbClientIteratorPtr iterator)
 {
-  IF_PTHREADS(if(iterator->next) rfbDecrClientRef(iterator->next));
+  IF_PTHREADS(if(iterator && iterator->next) rfbDecrClientRef(iterator->next));
   free(iterator);
 }
 
-- 
2.28.0

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation