rpms / tigervnc

Clone
Source Code
GIT

Blame SOURCES/tigervnc-CVE-2019-15693.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c7-ppc64le c8 c8-beta c8s c9 c9-beta
  1.   aeab07d55ac671c4b6ed258d12510c4863c306a5
  2.   SOURCES
  3.   tigervnc-CVE-2019-15693.patch
Blob History Raw
aeab07 
From b4ada8d0c6dac98c8b91fc64d112569a8ae5fb95 Mon Sep 17 00:00:00 2001
aeab07 
From: Pierre Ossman <ossman@cendio.se>
aeab07 
Date: Tue, 10 Sep 2019 15:36:42 +0200
aeab07 
Subject: [PATCH] Handle empty Tight gradient rects
aeab07
aeab07 
We always assumed there would be one pixel per row so a rect with
aeab07 
a zero width would result in us writing to unknown memory.
aeab07
aeab07 
This could theoretically be used by a malicious server to inject
aeab07 
code in to the viewer process.
aeab07
aeab07 
Issue found by Pavel Cheremushkin from Kaspersky Lab.
aeab07 
---
aeab07 
 common/rfb/tightDecode.h | 37 +++++++++++++++++++++----------------
aeab07 
 1 file changed, 21 insertions(+), 16 deletions(-)
aeab07
aeab07 
diff --git a/common/rfb/tightDecode.h b/common/rfb/tightDecode.h
aeab07 
index b6e86ed5e..8f77aebd0 100644
aeab07 
--- a/common/rfb/tightDecode.h
aeab07 
+++ b/common/rfb/tightDecode.h
aeab07 
@@ -56,15 +56,17 @@ TightDecoder::FilterGradient24(const rdr::U8 *inbuf,
aeab07 
   int rectWidth = r.width();
aeab07
aeab07 
   for (y = 0; y < rectHeight; y++) {
aeab07 
-    /* First pixel in a row */
aeab07 
-    for (c = 0; c < 3; c++) {
aeab07 
-      pix[c] = inbuf[y*rectWidth*3+c] + prevRow[c];
aeab07 
-      thisRow[c] = pix[c];
aeab07 
-    }
aeab07 
-    pf.bufferFromRGB((rdr::U8*)&outbuf[y*stride], pix, 1);
aeab07 
+    for (x = 0; x < rectWidth; x++) {
aeab07 
+      /* First pixel in a row */
aeab07 
+      if (x == 0) {
aeab07 
+        for (c = 0; c < 3; c++) {
aeab07 
+          pix[c] = inbuf[y*rectWidth*3+c] + prevRow[c];
aeab07 
+          thisRow[c] = pix[c];
aeab07 
+        }
aeab07 
+        pf.bufferFromRGB((rdr::U8*)&outbuf[y*stride], pix, 1);
aeab07 
+        continue;
aeab07 
+      }
aeab07
aeab07 
-    /* Remaining pixels of a row */
aeab07 
-    for (x = 1; x < rectWidth; x++) {
aeab07 
       for (c = 0; c < 3; c++) {
aeab07 
         est[c] = prevRow[x*3+c] + pix[c] - prevRow[(x-1)*3+c];
aeab07 
         if (est[c] > 0xff) {
aeab07 
@@ -103,17 +105,20 @@ void TightDecoder::FilterGradient(const rdr::U8* inbuf,
aeab07 
   int rectWidth = r.width();
aeab07
aeab07 
   for (y = 0; y < rectHeight; y++) {
aeab07 
-    /* First pixel in a row */
aeab07 
-    pf.rgbFromBuffer(pix, &inbuf[y*rectWidth], 1);
aeab07 
-    for (c = 0; c < 3; c++)
aeab07 
-      pix[c] += prevRow[c];
aeab07 
+    for (x = 0; x < rectWidth; x++) {
aeab07 
+      /* First pixel in a row */
aeab07 
+      if (x == 0) {
aeab07 
+        pf.rgbFromBuffer(pix, &inbuf[y*rectWidth], 1);
aeab07 
+        for (c = 0; c < 3; c++)
aeab07 
+          pix[c] += prevRow[c];
aeab07
aeab07 
-    memcpy(thisRow, pix, sizeof(pix));
aeab07 
+        memcpy(thisRow, pix, sizeof(pix));
aeab07
aeab07 
-    pf.bufferFromRGB((rdr::U8*)&outbuf[y*stride], pix, 1);
aeab07 
+        pf.bufferFromRGB((rdr::U8*)&outbuf[y*stride], pix, 1);
aeab07 
+
aeab07 
+        continue;
aeab07 
+      }
aeab07
aeab07 
-    /* Remaining pixels of a row */
aeab07 
-    for (x = 1; x < rectWidth; x++) {
aeab07 
       for (c = 0; c < 3; c++) {
aeab07 
         est[c] = prevRow[x*3+c] + pix[c] - prevRow[(x-1)*3+c];
aeab07 
         if (est[c] > 255) {

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation