rpms / tigervnc

Clone
Source Code
GIT

Files

  1.   cb236dc5cf9ccb89c87e0f84d7405aff6fad44f7
  2.   SOURCES
  3.   tigervnc-1.3.1-CVE-2014-8240.patch
Blob Blame History Raw 
diff --git a/unix/x0vncserver/Image.cxx b/unix/x0vncserver/Image.cxx
index f998c6a..d113f17 100644
--- a/unix/x0vncserver/Image.cxx
+++ b/unix/x0vncserver/Image.cxx
@@ -80,6 +80,14 @@ void Image::Init(int width, int height)
   xim = XCreateImage(dpy, vis, DefaultDepth(dpy, DefaultScreen(dpy)),
                      ZPixmap, 0, 0, width, height, BitmapPad(dpy), 0);

+  if (xim->bytes_per_line <= 0 ||
+      xim->height <= 0 ||
+      xim->height >= INT_MAX / xim->bytes_per_line) {
+    vlog.error("Invalid display size");
+    XDestroyImage(xim);
+    exit(1);
+  }
+
   xim->data = (char *)malloc(xim->bytes_per_line * xim->height);
   if (xim->data == NULL) {
     vlog.error("malloc() failed");
@@ -256,6 +264,17 @@ void ShmImage::Init(int width, int height, const XVisualInfo *vinfo)
     return;
   }

+  if (xim->bytes_per_line <= 0 ||
+      xim->height <= 0 ||
+      xim->height >= INT_MAX / xim->bytes_per_line) {
+    vlog.error("Invalid display size");
+    XDestroyImage(xim);
+    xim = NULL;
+    delete shminfo;
+    shminfo = NULL;
+    return;
+  }
+
   shminfo->shmid = shmget(IPC_PRIVATE,
                           xim->bytes_per_line * xim->height,
                           IPC_CREAT|0777);
diff --git a/vncviewer/X11PixelBuffer.cxx b/vncviewer/X11PixelBuffer.cxx
index bd0610c..2c493c9 100644
--- a/vncviewer/X11PixelBuffer.cxx
+++ b/vncviewer/X11PixelBuffer.cxx
@@ -105,6 +105,15 @@ PlatformPixelBuffer::PlatformPixelBuffer(int width, int height) :
                        ZPixmap, 0, 0, width, height, BitmapPad(fl_display), 0);
     assert(xim);

+    if (xim->bytes_per_line <= 0 ||
+	xim->height <= 0 ||
+	xim->height >= INT_MAX / xim->bytes_per_line) {
+      if (xim)
+	XDestroyImage(xim);
+      xim = NULL;
+      throw rfb::Exception("Invalid display size");
+    }
+
     xim->data = (char*)malloc(xim->bytes_per_line * xim->height);
     assert(xim->data);
   }
@@ -169,6 +178,16 @@ int PlatformPixelBuffer::setupShm()
   if (!xim)
     goto free_shminfo;

+  if (xim->bytes_per_line <= 0 ||
+      xim->height <= 0 ||
+      xim->height >= INT_MAX / xim->bytes_per_line) {
+    XDestroyImage(xim);
+    xim = NULL;
+    delete shminfo;
+    shminfo = NULL;
+    throw rfb::Exception("Invalid display size");
+  }
+
   shminfo->shmid = shmget(IPC_PRIVATE,
                           xim->bytes_per_line * xim->height,
                           IPC_CREAT|0777);

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation