Blame SOURCES/tigervnc-CVE-2014-8241.patch

288618
diff --git a/CMakeLists.txt b/CMakeLists.txt
288618
index 0e325e2..1d4e1bf 100644
288618
--- a/CMakeLists.txt
288618
+++ b/CMakeLists.txt
288618
@@ -67,6 +67,14 @@ add_definitions(-D__BUILD__="${BUILD}")
288618
 set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -UNDEBUG")
288618
 set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -UNDEBUG")
288618
288618
+# We want to keep our asserts even in release builds so remove NDEBUG
288618
+set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS_RELEASE} -UNDEBUG")
288618
+set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} -UNDEBUG")
288618
+set(CMAKE_C_FLAGS_RELWITHDEBINFO "${CMAKE_C_FLAGS_RELWITHDEBINFO} -UNDEBUG")
288618
+set(CMAKE_CXX_FLAGS_RELWITHDEBINFO "${CMAKE_CXX_FLAGS_RELWITHDEBINFO} -UNDEBUG")
288618
+set(CMAKE_C_FLAGS_MINSIZEREL "${CMAKE_C_FLAGS_MINSIZEREL} -UNDEBUG")
288618
+set(CMAKE_CXX_FLAGS_MINSIZEREL "${CMAKE_CXX_FLAGS_MINSIZEREL} -UNDEBUG")
288618
+
288618
 if(NOT DEFINED BUILD_WINVNC)
288618
   set(BUILD_WINVNC 1)
288618
 endif()
288618
diff --git a/common/Xregion/Region.c b/common/Xregion/Region.c
288618
index 604ecde..4bb52ea 100644
288618
--- a/common/Xregion/Region.c
288618
+++ b/common/Xregion/Region.c
288618
@@ -1083,6 +1083,8 @@ miRegionOp(newReg, reg1, reg2, overlapFunc,  nonOverlap1Func, nonOverlap2Func)
288618
 	    newReg->size = 1;
288618
 	    Xfree((char *) newReg->rects);
288618
 	    newReg->rects = (BoxPtr) Xmalloc(sizeof(BoxRec));
288618
+	    if (! newReg->rects)
288618
+	      newReg->size = 0;
288618
 	}
288618
     }
288618
     Xfree ((char *) oldRects);
288618
diff --git a/unix/vncconfig/vncExt.c b/unix/vncconfig/vncExt.c
288618
index ff5532b..c2e6d3c 100644
288618
--- a/unix/vncconfig/vncExt.c
288618
+++ b/unix/vncconfig/vncExt.c
288618
@@ -109,6 +109,10 @@ Bool XVncExtGetParam(Display* dpy, const char* param, char** value, int* len)
288618
   if (rep.success) {
288618
     *len = rep.valueLen;
288618
     *value = (char*) Xmalloc (*len+1);
288618
+    if (!*value) {
288618
+      _XEatData(dpy, (*len+1)&~1);
288618
+      return False;
288618
+    }
288618
     _XReadPad(dpy, *value, *len);
288618
     (*value)[*len] = 0;
288618
   }
288618
@@ -141,6 +145,10 @@ char* XVncExtGetParamDesc(Display* dpy, const char* param)
288618
   }
288618
   if (rep.success) {
288618
     desc = (char*)Xmalloc(rep.descLen+1);
288618
+    if (!*desc) {
288618
+      _XEatData(dpy, (rep.descLen+1)&~1);
288618
+      return False;
288618
+    }
288618
     _XReadPad(dpy, desc, rep.descLen);
288618
     desc[rep.descLen] = 0;
288618
   }
288618
@@ -243,6 +251,10 @@ Bool XVncExtGetClientCutText(Display* dpy, char** str, int* len)
288618
   SyncHandle();
288618
   *len = rep.textLen;
288618
   *str = (char*) Xmalloc (*len+1);
288618
+  if (!*str) {
288618
+    _XEatData(dpy, (*len+1)&~1);
288618
+    return False;
288618
+  }
288618
   _XReadPad(dpy, *str, *len);
288618
   (*str)[*len] = 0;
288618
   return True;
288618
@@ -312,9 +324,15 @@ Bool XVncExtGetQueryConnect(Display* dpy, char** addr, char** user,
288618
   SyncHandle();
288618
288618
   *addr = Xmalloc(rep.addrLen+1);
288618
+  *user = Xmalloc(rep.userLen+1);
288618
+  if (!*addr || !*user) {
288618
+    Xfree(*addr);
288618
+    Xfree(*user);
288618
+    _XEatData(dpy, (rep.addrLen+1)&~1 + (rep.userLen+1)&~1);
288618
+    return False;
288618
+  }
288618
   _XReadPad(dpy, *addr, rep.addrLen);
288618
   (*addr)[rep.addrLen] = 0;
288618
-  *user = Xmalloc(rep.userLen+1);
288618
   _XReadPad(dpy, *user, rep.userLen);
288618
   (*user)[rep.userLen] = 0;
288618
   *timeout = rep.timeout;
288618
diff --git a/unix/vncconfig/vncconfig.cxx b/unix/vncconfig/vncconfig.cxx
288618
index f70cc71..bffdfbe 100644
288618
--- a/unix/vncconfig/vncconfig.cxx
288618
+++ b/unix/vncconfig/vncconfig.cxx
288618
@@ -215,6 +215,10 @@ public:
288618
       if (cutText)
288618
         XFree(cutText);
288618
       cutText = (char*)malloc(nitems); // assuming XFree() same as free()
288618
+      if (!cutText) {
288618
+        vlog.error("unable to allocate selection buffer");
288618
+        return;
288618
+      }
288618
       memcpy(cutText, data, nitems);
288618
       cutTextLen = nitems;
288618
       vlog.debug("sending %s selection as server cut text: '%.*s%s'",