From aeab07d55ac671c4b6ed258d12510c4863c306a5 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 16 2020 20:10:31 +0000 Subject: import tigervnc-1.9.0-14.el8_1 --- diff --git a/SOURCES/tigervnc-CVE-2019-15691.patch b/SOURCES/tigervnc-CVE-2019-15691.patch new file mode 100644 index 0000000..1b0a6c8 --- /dev/null +++ b/SOURCES/tigervnc-CVE-2019-15691.patch @@ -0,0 +1,116 @@ +From d61a767d6842b530ffb532ddd5a3d233119aad40 Mon Sep 17 00:00:00 2001 +From: Pierre Ossman +Date: Tue, 10 Sep 2019 11:05:48 +0200 +Subject: [PATCH] Make ZlibInStream more robust against failures + +Move the checks around to avoid missing cases where we might access +memory that is no longer valid. Also avoid touching the underlying +stream implicitly (e.g. via the destructor) as it might also no +longer be valid. + +A malicious server could theoretically use this for remote code +execution in the client. + +Issue found by Pavel Cheremushkin from Kaspersky Lab +--- + common/rdr/ZlibInStream.cxx | 13 +++++++------ + common/rdr/ZlibInStream.h | 2 +- + common/rfb/CMsgReader.cxx | 3 ++- + common/rfb/SMsgReader.cxx | 3 ++- + common/rfb/TightDecoder.cxx | 3 ++- + common/rfb/zrleDecode.h | 3 ++- + 6 files changed, 16 insertions(+), 11 deletions(-) + +diff --git a/common/rdr/ZlibInStream.cxx b/common/rdr/ZlibInStream.cxx +index 4053bd1..a361010 100644 +--- a/common/rdr/ZlibInStream.cxx ++++ b/common/rdr/ZlibInStream.cxx +@@ -52,16 +52,16 @@ int ZlibInStream::pos() + return offset + ptr - start; + } + +-void ZlibInStream::removeUnderlying() ++void ZlibInStream::flushUnderlying() + { + ptr = end = start; +- if (!underlying) return; + + while (bytesIn > 0) { + decompress(true); + end = start; // throw away any data + } +- underlying = 0; ++ ++ setUnderlying(NULL, 0); + } + + void ZlibInStream::reset() +@@ -90,7 +90,7 @@ void ZlibInStream::init() + void ZlibInStream::deinit() + { + assert(zs != NULL); +- removeUnderlying(); ++ setUnderlying(NULL, 0); + inflateEnd(zs); + delete zs; + zs = NULL; +@@ -100,8 +100,6 @@ int ZlibInStream::overrun(int itemSize, int nItems, bool wait) + { + if (itemSize > bufSize) + throw Exception("ZlibInStream overrun: max itemSize exceeded"); +- if (!underlying) +- throw Exception("ZlibInStream overrun: no underlying stream"); + + if (end - ptr != 0) + memmove(start, ptr, end - ptr); +@@ -127,6 +125,9 @@ int ZlibInStream::overrun(int itemSize, int nItems, bool wait) + + bool ZlibInStream::decompress(bool wait) + { ++ if (!underlying) ++ throw Exception("ZlibInStream overrun: no underlying stream"); ++ + zs->next_out = (U8*)end; + zs->avail_out = start + bufSize - end; + +diff --git a/common/rdr/ZlibInStream.h b/common/rdr/ZlibInStream.h +index 6bd4da4..86ba1ff 100644 +--- a/common/rdr/ZlibInStream.h ++++ b/common/rdr/ZlibInStream.h +@@ -38,7 +38,7 @@ namespace rdr { + virtual ~ZlibInStream(); + + void setUnderlying(InStream* is, int bytesIn); +- void removeUnderlying(); ++ void flushUnderlying(); + int pos(); + void reset(); + +diff --git a/common/rfb/TightDecoder.cxx b/common/rfb/TightDecoder.cxx +index 3a1254a..4273eb7 100644 +--- a/common/rfb/TightDecoder.cxx ++++ b/common/rfb/TightDecoder.cxx +@@ -340,7 +340,8 @@ void TightDecoder::decodeRect(const Rect& r, const void* buffer, + + zis[streamId].readBytes(netbuf, dataSize); + +- zis[streamId].removeUnderlying(); ++ zis[streamId].flushUnderlying(); ++ zis[streamId].setUnderlying(NULL, 0); + delete ms; + + bufptr = netbuf; +diff --git a/common/rfb/zrleDecode.h b/common/rfb/zrleDecode.h +index 0bfbbe1..a69ca67 100644 +--- a/common/rfb/zrleDecode.h ++++ b/common/rfb/zrleDecode.h +@@ -178,7 +178,8 @@ void ZRLE_DECODE (const Rect& r, rdr::InStream* is, + } + } + +- zis->removeUnderlying(); ++ zis->flushUnderlying(); ++ zis->setUnderlying(NULL, 0); + } + + #undef ZRLE_DECODE diff --git a/SOURCES/tigervnc-CVE-2019-15692.patch b/SOURCES/tigervnc-CVE-2019-15692.patch new file mode 100644 index 0000000..4b0e983 --- /dev/null +++ b/SOURCES/tigervnc-CVE-2019-15692.patch @@ -0,0 +1,71 @@ +From 996356b6c65ca165ee1ea46a571c32a1dc3c3821 Mon Sep 17 00:00:00 2001 +From: Pierre Ossman +Date: Tue, 10 Sep 2019 15:21:03 +0200 +Subject: [PATCH] Restrict PixelBuffer dimensions to safe values + +We do a lot of calculations based on pixel coordinates and we need +to make sure they do not overflow. Restrict the maximum dimensions +we support rather than try to switch over all calculations to use +64 bit integers. + +This prevents attackers from from injecting code by specifying a +huge framebuffer size and relying on the values overflowing to +access invalid areas of the heap. + +This primarily affects the client which gets both the screen +dimensions and the pixel contents from the remote side. But the +server might also be affected as a client can adjust the screen +dimensions, as can applications inside the session. + +Issue found by Pavel Cheremushkin from Kaspersky Lab. +--- + common/rfb/PixelBuffer.cxx | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/common/rfb/PixelBuffer.cxx b/common/rfb/PixelBuffer.cxx +index ad58324..18f41f8 100644 +--- a/common/rfb/PixelBuffer.cxx ++++ b/common/rfb/PixelBuffer.cxx +@@ -31,6 +31,14 @@ using namespace rdr; + + static LogWriter vlog("PixelBuffer"); + ++// We do a lot of byte offset calculations that assume the result fits ++// inside a signed 32 bit integer. Limit the maximum size of pixel ++// buffers so that these calculations never overflow. ++ ++const int maxPixelBufferWidth = 16384; ++const int maxPixelBufferHeight = 16384; ++const int maxPixelBufferStride = 16384; ++ + + // -=- Generic pixel buffer class + +@@ -108,6 +116,11 @@ void PixelBuffer::getImage(const PixelFormat& pf, void* imageBuf, + + void PixelBuffer::setSize(int width, int height) + { ++ if ((width < 0) || (width > maxPixelBufferWidth)) ++ throw rfb::Exception("Invalid PixelBuffer width of %d pixels requested", width); ++ if ((height < 0) || (height > maxPixelBufferHeight)) ++ throw rfb::Exception("Invalid PixelBuffer height of %d pixels requested", height); ++ + width_ = width; + height_ = height; + } +@@ -337,6 +350,15 @@ const rdr::U8* FullFramePixelBuffer::getBuffer(const Rect& r, int* stride_) cons + void FullFramePixelBuffer::setBuffer(int width, int height, + rdr::U8* data_, int stride_) + { ++ if ((width < 0) || (width > maxPixelBufferWidth)) ++ throw rfb::Exception("Invalid PixelBuffer width of %d pixels requested", width); ++ if ((height < 0) || (height > maxPixelBufferHeight)) ++ throw rfb::Exception("Invalid PixelBuffer height of %d pixels requested", height); ++ if ((stride_ < 0) || (stride_ > maxPixelBufferStride) || (stride_ < width)) ++ throw rfb::Exception("Invalid PixelBuffer stride of %d pixels requested", stride_); ++ if ((width != 0) && (height != 0) && (data_ == NULL)) ++ throw rfb::Exception("PixelBuffer requested without a valid memory area"); ++ + ModifiablePixelBuffer::setSize(width, height); + stride = stride_; + data = data_; diff --git a/SOURCES/tigervnc-CVE-2019-15693.patch b/SOURCES/tigervnc-CVE-2019-15693.patch new file mode 100644 index 0000000..1e5f152 --- /dev/null +++ b/SOURCES/tigervnc-CVE-2019-15693.patch @@ -0,0 +1,75 @@ +From b4ada8d0c6dac98c8b91fc64d112569a8ae5fb95 Mon Sep 17 00:00:00 2001 +From: Pierre Ossman +Date: Tue, 10 Sep 2019 15:36:42 +0200 +Subject: [PATCH] Handle empty Tight gradient rects + +We always assumed there would be one pixel per row so a rect with +a zero width would result in us writing to unknown memory. + +This could theoretically be used by a malicious server to inject +code in to the viewer process. + +Issue found by Pavel Cheremushkin from Kaspersky Lab. +--- + common/rfb/tightDecode.h | 37 +++++++++++++++++++++---------------- + 1 file changed, 21 insertions(+), 16 deletions(-) + +diff --git a/common/rfb/tightDecode.h b/common/rfb/tightDecode.h +index b6e86ed5e..8f77aebd0 100644 +--- a/common/rfb/tightDecode.h ++++ b/common/rfb/tightDecode.h +@@ -56,15 +56,17 @@ TightDecoder::FilterGradient24(const rdr::U8 *inbuf, + int rectWidth = r.width(); + + for (y = 0; y < rectHeight; y++) { +- /* First pixel in a row */ +- for (c = 0; c < 3; c++) { +- pix[c] = inbuf[y*rectWidth*3+c] + prevRow[c]; +- thisRow[c] = pix[c]; +- } +- pf.bufferFromRGB((rdr::U8*)&outbuf[y*stride], pix, 1); ++ for (x = 0; x < rectWidth; x++) { ++ /* First pixel in a row */ ++ if (x == 0) { ++ for (c = 0; c < 3; c++) { ++ pix[c] = inbuf[y*rectWidth*3+c] + prevRow[c]; ++ thisRow[c] = pix[c]; ++ } ++ pf.bufferFromRGB((rdr::U8*)&outbuf[y*stride], pix, 1); ++ continue; ++ } + +- /* Remaining pixels of a row */ +- for (x = 1; x < rectWidth; x++) { + for (c = 0; c < 3; c++) { + est[c] = prevRow[x*3+c] + pix[c] - prevRow[(x-1)*3+c]; + if (est[c] > 0xff) { +@@ -103,17 +105,20 @@ void TightDecoder::FilterGradient(const rdr::U8* inbuf, + int rectWidth = r.width(); + + for (y = 0; y < rectHeight; y++) { +- /* First pixel in a row */ +- pf.rgbFromBuffer(pix, &inbuf[y*rectWidth], 1); +- for (c = 0; c < 3; c++) +- pix[c] += prevRow[c]; ++ for (x = 0; x < rectWidth; x++) { ++ /* First pixel in a row */ ++ if (x == 0) { ++ pf.rgbFromBuffer(pix, &inbuf[y*rectWidth], 1); ++ for (c = 0; c < 3; c++) ++ pix[c] += prevRow[c]; + +- memcpy(thisRow, pix, sizeof(pix)); ++ memcpy(thisRow, pix, sizeof(pix)); + +- pf.bufferFromRGB((rdr::U8*)&outbuf[y*stride], pix, 1); ++ pf.bufferFromRGB((rdr::U8*)&outbuf[y*stride], pix, 1); ++ ++ continue; ++ } + +- /* Remaining pixels of a row */ +- for (x = 1; x < rectWidth; x++) { + for (c = 0; c < 3; c++) { + est[c] = prevRow[x*3+c] + pix[c] - prevRow[(x-1)*3+c]; + if (est[c] > 255) { diff --git a/SOURCES/tigervnc-CVE-2019-15694.patch b/SOURCES/tigervnc-CVE-2019-15694.patch new file mode 100644 index 0000000..8f3fc27 --- /dev/null +++ b/SOURCES/tigervnc-CVE-2019-15694.patch @@ -0,0 +1,1419 @@ +From 0943c006c7d900dfc0281639e992791d6c567438 Mon Sep 17 00:00:00 2001 +From: Pierre Ossman +Date: Mon, 23 Sep 2019 11:00:17 +0200 +Subject: [PATCH] Use size_t for lengths in stream objects + +Provides safety against them accidentally becoming negative because +of bugs in the calculations. + +Also does the same to CharArray and friends as they were strongly +connection to the stream objects. +--- + common/rdr/FdInStream.cxx | 20 ++++++++++---------- + common/rdr/FdInStream.h | 17 +++++++++-------- + common/rdr/FdOutStream.cxx | 20 ++++++++++---------- + common/rdr/FdOutStream.h | 12 ++++++------ + common/rdr/FileInStream.cxx | 8 ++++---- + common/rdr/FileInStream.h | 4 ++-- + common/rdr/HexInStream.cxx | 20 ++++++++++---------- + common/rdr/HexInStream.h | 12 ++++++------ + common/rdr/HexOutStream.cxx | 20 ++++++++++---------- + common/rdr/HexOutStream.h | 12 ++++++------ + common/rdr/InStream.h | 16 ++++++++-------- + common/rdr/MemInStream.h | 8 ++++---- + common/rdr/MemOutStream.h | 12 ++++++------ + common/rdr/OutStream.h | 20 ++++++++++---------- + common/rdr/RandomStream.cxx | 14 +++++++------- + common/rdr/RandomStream.h | 6 +++--- + common/rdr/TLSInStream.cxx | 10 +++++----- + common/rdr/TLSInStream.h | 10 +++++----- + common/rdr/TLSOutStream.cxx | 10 +++++----- + common/rdr/TLSOutStream.h | 10 +++++----- + common/rdr/ZlibInStream.cxx | 16 ++++++++-------- + common/rdr/ZlibInStream.h | 14 +++++++------- + common/rdr/ZlibOutStream.cxx | 10 +++++----- + common/rdr/ZlibOutStream.h | 10 +++++----- + common/rfb/Configuration.cxx | 6 +++--- + common/rfb/Configuration.h | 13 +++++++------ + common/rfb/Password.cxx | 6 +++--- + common/rfb/Password.h | 6 +++--- + common/rfb/util.h | 2 +- + tests/perf/encperf.cxx | 10 +++++----- + win/rfb_win32/Registry.cxx | 6 +++--- + win/rfb_win32/Registry.h | 6 +++--- + 32 files changed, 184 insertions(+), 182 deletions(-) + +diff --git a/common/rdr/FdInStream.cxx b/common/rdr/FdInStream.cxx +index 011ebf4..789cbec 100644 +--- a/common/rdr/FdInStream.cxx ++++ b/common/rdr/FdInStream.cxx +@@ -56,7 +56,7 @@ using namespace rdr; + enum { DEFAULT_BUF_SIZE = 8192, + MIN_BULK_SIZE = 1024 }; + +-FdInStream::FdInStream(int fd_, int timeoutms_, int bufSize_, ++FdInStream::FdInStream(int fd_, int timeoutms_, size_t bufSize_, + bool closeWhenDone_) + : fd(fd_), closeWhenDone(closeWhenDone_), + timeoutms(timeoutms_), blockCallback(0), +@@ -67,7 +67,7 @@ FdInStream::FdInStream(int fd_, int timeoutms_, int bufSize_, + } + + FdInStream::FdInStream(int fd_, FdInStreamBlockCallback* blockCallback_, +- int bufSize_) ++ size_t bufSize_) + : fd(fd_), timeoutms(0), blockCallback(blockCallback_), + timing(false), timeWaitedIn100us(5), timedKbits(0), + bufSize(bufSize_ ? bufSize_ : DEFAULT_BUF_SIZE), offset(0) +@@ -92,12 +92,12 @@ void FdInStream::setBlockCallback(FdInStreamBlockCallback* blockCallback_) + timeoutms = 0; + } + +-int FdInStream::pos() ++size_t FdInStream::pos() + { + return offset + ptr - start; + } + +-void FdInStream::readBytes(void* data, int length) ++void FdInStream::readBytes(void* data, size_t length) + { + if (length < MIN_BULK_SIZE) { + InStream::readBytes(data, length); +@@ -106,7 +106,7 @@ void FdInStream::readBytes(void* data, int length) + + U8* dataPtr = (U8*)data; + +- int n = end - ptr; ++ size_t n = end - ptr; + if (n > length) n = length; + + memcpy(dataPtr, ptr, n); +@@ -123,7 +123,7 @@ void FdInStream::readBytes(void* data, int length) + } + + +-int FdInStream::overrun(int itemSize, int nItems, bool wait) ++size_t FdInStream::overrun(size_t itemSize, size_t nItems, bool wait) + { + if (itemSize > bufSize) + throw Exception("FdInStream overrun: max itemSize exceeded"); +@@ -135,7 +135,7 @@ int FdInStream::overrun(int itemSize, int nItems, bool wait) + end -= ptr - start; + ptr = start; + +- int bytes_to_read; ++ size_t bytes_to_read; + while (end < start + itemSize) { + bytes_to_read = start + bufSize - end; + if (!timing) { +@@ -147,12 +147,12 @@ int FdInStream::overrun(int itemSize, int nItems, bool wait) + // bytes is ineffecient. + bytes_to_read = vncmin(bytes_to_read, vncmax(itemSize*nItems, 8)); + } +- int n = readWithTimeoutOrCallback((U8*)end, bytes_to_read, wait); ++ size_t n = readWithTimeoutOrCallback((U8*)end, bytes_to_read, wait); + if (n == 0) return 0; + end += n; + } + +- if (itemSize * nItems > end - ptr) ++ if (itemSize * nItems > (size_t)(end - ptr)) + nItems = (end - ptr) / itemSize; + + return nItems; +@@ -171,7 +171,7 @@ int FdInStream::overrun(int itemSize, int nItems, bool wait) + // returning EINTR. + // + +-int FdInStream::readWithTimeoutOrCallback(void* buf, int len, bool wait) ++size_t FdInStream::readWithTimeoutOrCallback(void* buf, size_t len, bool wait) + { + struct timeval before, after; + if (timing) +diff --git a/common/rdr/FdInStream.h b/common/rdr/FdInStream.h +index b4c8765..d99ad3c 100644 +--- a/common/rdr/FdInStream.h ++++ b/common/rdr/FdInStream.h +@@ -37,16 +37,17 @@ namespace rdr { + + public: + +- FdInStream(int fd, int timeoutms=-1, int bufSize=0, ++ FdInStream(int fd, int timeoutms=-1, size_t bufSize=0, + bool closeWhenDone_=false); +- FdInStream(int fd, FdInStreamBlockCallback* blockCallback, int bufSize=0); ++ FdInStream(int fd, FdInStreamBlockCallback* blockCallback, ++ size_t bufSize=0); + virtual ~FdInStream(); + + void setTimeout(int timeoutms); + void setBlockCallback(FdInStreamBlockCallback* blockCallback); + int getFd() { return fd; } +- int pos(); +- void readBytes(void* data, int length); ++ size_t pos(); ++ void readBytes(void* data, size_t length); + + void startTiming(); + void stopTiming(); +@@ -54,10 +55,10 @@ namespace rdr { + unsigned int timeWaited() { return timeWaitedIn100us; } + + protected: +- int overrun(int itemSize, int nItems, bool wait); ++ size_t overrun(size_t itemSize, size_t nItems, bool wait); + + private: +- int readWithTimeoutOrCallback(void* buf, int len, bool wait=true); ++ size_t readWithTimeoutOrCallback(void* buf, size_t len, bool wait=true); + + int fd; + bool closeWhenDone; +@@ -68,8 +69,8 @@ namespace rdr { + unsigned int timeWaitedIn100us; + unsigned int timedKbits; + +- int bufSize; +- int offset; ++ size_t bufSize; ++ size_t offset; + U8* start; + }; + +diff --git a/common/rdr/FdOutStream.cxx b/common/rdr/FdOutStream.cxx +index cf857f8..1757dc3 100644 +--- a/common/rdr/FdOutStream.cxx ++++ b/common/rdr/FdOutStream.cxx +@@ -51,7 +51,7 @@ using namespace rdr; + + enum { DEFAULT_BUF_SIZE = 16384 }; + +-FdOutStream::FdOutStream(int fd_, bool blocking_, int timeoutms_, int bufSize_) ++FdOutStream::FdOutStream(int fd_, bool blocking_, int timeoutms_, size_t bufSize_) + : fd(fd_), blocking(blocking_), timeoutms(timeoutms_), + bufSize(bufSize_ ? bufSize_ : DEFAULT_BUF_SIZE), offset(0) + { +@@ -79,7 +79,7 @@ void FdOutStream::setBlocking(bool blocking_) { + blocking = blocking_; + } + +-int FdOutStream::length() ++size_t FdOutStream::length() + { + return offset + ptr - sentUpTo; + } +@@ -97,9 +97,9 @@ unsigned FdOutStream::getIdleTime() + void FdOutStream::flush() + { + while (sentUpTo < ptr) { +- int n = writeWithTimeout((const void*) sentUpTo, +- ptr - sentUpTo, +- blocking? timeoutms : 0); ++ size_t n = writeWithTimeout((const void*) sentUpTo, ++ ptr - sentUpTo, ++ blocking? timeoutms : 0); + + // Timeout? + if (n == 0) { +@@ -120,7 +120,7 @@ void FdOutStream::flush() + } + + +-int FdOutStream::overrun(int itemSize, int nItems) ++size_t FdOutStream::overrun(size_t itemSize, size_t nItems) + { + if (itemSize > bufSize) + throw Exception("FdOutStream overrun: max itemSize exceeded"); +@@ -129,10 +129,10 @@ int FdOutStream::overrun(int itemSize, int nItems) + flush(); + + // Still not enough space? +- if (itemSize > end - ptr) { ++ if (itemSize > (size_t)(end - ptr)) { + // Can we shuffle things around? + // (don't do this if it gains us less than 25%) +- if ((sentUpTo - start > bufSize / 4) && ++ if (((size_t)(sentUpTo - start) > bufSize / 4) && + (itemSize < bufSize - (ptr - sentUpTo))) { + memmove(start, sentUpTo, ptr - sentUpTo); + ptr = start + (ptr - sentUpTo); +@@ -150,7 +150,7 @@ int FdOutStream::overrun(int itemSize, int nItems) + } + + // Can we fit all the items asked for? +- if (itemSize * nItems > end - ptr) ++ if (itemSize * nItems > (size_t)(end - ptr)) + nItems = (end - ptr) / itemSize; + + return nItems; +@@ -166,7 +166,7 @@ int FdOutStream::overrun(int itemSize, int nItems) + // select() and send() returning EINTR. + // + +-int FdOutStream::writeWithTimeout(const void* data, int length, int timeoutms) ++size_t FdOutStream::writeWithTimeout(const void* data, size_t length, int timeoutms) + { + int n; + +diff --git a/common/rdr/FdOutStream.h b/common/rdr/FdOutStream.h +index b7f6cb0..ed84fdb 100644 +--- a/common/rdr/FdOutStream.h ++++ b/common/rdr/FdOutStream.h +@@ -34,7 +34,7 @@ namespace rdr { + + public: + +- FdOutStream(int fd, bool blocking=true, int timeoutms=-1, int bufSize=0); ++ FdOutStream(int fd, bool blocking=true, int timeoutms=-1, size_t bufSize=0); + virtual ~FdOutStream(); + + void setTimeout(int timeoutms); +@@ -42,20 +42,20 @@ namespace rdr { + int getFd() { return fd; } + + void flush(); +- int length(); ++ size_t length(); + + int bufferUsage(); + + unsigned getIdleTime(); + + private: +- int overrun(int itemSize, int nItems); +- int writeWithTimeout(const void* data, int length, int timeoutms); ++ size_t overrun(size_t itemSize, size_t nItems); ++ size_t writeWithTimeout(const void* data, size_t length, int timeoutms); + int fd; + bool blocking; + int timeoutms; +- int bufSize; +- int offset; ++ size_t bufSize; ++ size_t offset; + U8* start; + U8* sentUpTo; + struct timeval lastWrite; +diff --git a/common/rdr/FileInStream.cxx b/common/rdr/FileInStream.cxx +index 3acdfd4..94f5db8 100644 +--- a/common/rdr/FileInStream.cxx ++++ b/common/rdr/FileInStream.cxx +@@ -48,7 +48,7 @@ void FileInStream::reset(void) { + ptr = end = b; + } + +-int FileInStream::pos() ++size_t FileInStream::pos() + { + if (!file) + throw Exception("File is not open"); +@@ -56,9 +56,9 @@ int FileInStream::pos() + return ftell(file) + ptr - b; + } + +-int FileInStream::overrun(int itemSize, int nItems, bool wait) ++size_t FileInStream::overrun(size_t itemSize, size_t nItems, bool wait) + { +- if (itemSize > (int)sizeof(b)) ++ if (itemSize > sizeof(b)) + throw Exception("FileInStream overrun: max itemSize exceeded"); + + if (end - ptr != 0) +@@ -80,7 +80,7 @@ int FileInStream::overrun(int itemSize, int nItems, bool wait) + end += b + sizeof(b) - end; + } + +- if (itemSize * nItems > end - ptr) ++ if (itemSize * nItems > (size_t)(end - ptr)) + nItems = (end - ptr) / itemSize; + + return nItems; +diff --git a/common/rdr/FileInStream.h b/common/rdr/FileInStream.h +index ace04f3..a33c765 100644 +--- a/common/rdr/FileInStream.h ++++ b/common/rdr/FileInStream.h +@@ -35,10 +35,10 @@ namespace rdr { + + void reset(void); + +- int pos(); ++ size_t pos(); + + protected: +- int overrun(int itemSize, int nItems, bool wait = true); ++ size_t overrun(size_t itemSize, size_t nItems, bool wait = true); + + private: + U8 b[131072]; +diff --git a/common/rdr/HexInStream.cxx b/common/rdr/HexInStream.cxx +index 80f8a79..8f93988 100644 +--- a/common/rdr/HexInStream.cxx ++++ b/common/rdr/HexInStream.cxx +@@ -28,7 +28,7 @@ const int DEFAULT_BUF_LEN = 16384; + + static inline int min(int a, int b) {return a bufSize) + throw Exception("HexInStream overrun: max itemSize exceeded"); + +@@ -92,14 +92,14 @@ int HexInStream::overrun(int itemSize, int nItems, bool wait) { + ptr = start; + + while (end < ptr + itemSize) { +- int n = in_stream.check(2, 1, wait); ++ size_t n = in_stream.check(2, 1, wait); + if (n == 0) return 0; + const U8* iptr = in_stream.getptr(); + const U8* eptr = in_stream.getend(); +- int length = min((eptr - iptr)/2, start + bufSize - end); ++ size_t length = min((eptr - iptr)/2, start + bufSize - end); + + U8* optr = (U8*) end; +- for (int i=0; i end - ptr) ++ if (itemSize * nItems > (size_t)(end - ptr)) + nItems = (end - ptr) / itemSize; + + return nItems; +diff --git a/common/rdr/HexInStream.h b/common/rdr/HexInStream.h +index 6bfb843..8e495fb 100644 +--- a/common/rdr/HexInStream.h ++++ b/common/rdr/HexInStream.h +@@ -26,21 +26,21 @@ namespace rdr { + class HexInStream : public InStream { + public: + +- HexInStream(InStream& is, int bufSize=0); ++ HexInStream(InStream& is, size_t bufSize=0); + virtual ~HexInStream(); + +- int pos(); ++ size_t pos(); + + static bool readHexAndShift(char c, int* v); +- static bool hexStrToBin(const char* s, char** data, int* length); ++ static bool hexStrToBin(const char* s, char** data, size_t* length); + + protected: +- int overrun(int itemSize, int nItems, bool wait); ++ size_t overrun(size_t itemSize, size_t nItems, bool wait); + + private: +- int bufSize; ++ size_t bufSize; + U8* start; +- int offset; ++ size_t offset; + + InStream& in_stream; + }; +diff --git a/common/rdr/HexOutStream.cxx b/common/rdr/HexOutStream.cxx +index 9b0b6c4..7232514 100644 +--- a/common/rdr/HexOutStream.cxx ++++ b/common/rdr/HexOutStream.cxx +@@ -23,9 +23,9 @@ using namespace rdr; + + const int DEFAULT_BUF_LEN = 16384; + +-static inline int min(int a, int b) {return a> 4) & 15); + buffer[i*2+1] = intToHex((data[i] & 15)); + if (!buffer[i*2] || !buffer[i*2+1]) { +@@ -70,9 +70,9 @@ HexOutStream::writeBuffer() { + out_stream.check(2); + U8* optr = out_stream.getptr(); + U8* oend = out_stream.getend(); +- int length = min(ptr-pos, (oend-optr)/2); ++ size_t length = min(ptr-pos, (oend-optr)/2); + +- for (int i=0; i> 4) & 0xf); + optr[i*2+1] = intToHex(pos[i] & 0xf); + } +@@ -84,7 +84,7 @@ HexOutStream::writeBuffer() { + ptr = start; + } + +-int HexOutStream::length() ++size_t HexOutStream::length() + { + return offset + ptr - start; + } +@@ -95,14 +95,14 @@ HexOutStream::flush() { + out_stream.flush(); + } + +-int +-HexOutStream::overrun(int itemSize, int nItems) { ++size_t ++HexOutStream::overrun(size_t itemSize, size_t nItems) { + if (itemSize > bufSize) + throw Exception("HexOutStream overrun: max itemSize exceeded"); + + writeBuffer(); + +- if (itemSize * nItems > end - ptr) ++ if (itemSize * nItems > (size_t)(end - ptr)) + nItems = (end - ptr) / itemSize; + + return nItems; +diff --git a/common/rdr/HexOutStream.h b/common/rdr/HexOutStream.h +index 10247e6..92442a7 100644 +--- a/common/rdr/HexOutStream.h ++++ b/common/rdr/HexOutStream.h +@@ -26,24 +26,24 @@ namespace rdr { + class HexOutStream : public OutStream { + public: + +- HexOutStream(OutStream& os, int buflen=0); ++ HexOutStream(OutStream& os, size_t buflen=0); + virtual ~HexOutStream(); + + void flush(); +- int length(); ++ size_t length(); + + static char intToHex(int i); +- static char* binToHexStr(const char* data, int length); ++ static char* binToHexStr(const char* data, size_t length); + + private: + void writeBuffer(); +- int overrun(int itemSize, int nItems); ++ size_t overrun(size_t itemSize, size_t nItems); + + OutStream& out_stream; + + U8* start; +- int offset; +- int bufSize; ++ size_t offset; ++ size_t bufSize; + }; + + } +diff --git a/common/rdr/InStream.h b/common/rdr/InStream.h +index 212a2ec..14ecf09 100644 +--- a/common/rdr/InStream.h ++++ b/common/rdr/InStream.h +@@ -41,7 +41,7 @@ namespace rdr { + // for the bytes, zero is returned if the bytes are not immediately + // available. + +- inline int check(int itemSize, int nItems=1, bool wait=true) ++ inline size_t check(size_t itemSize, size_t nItems=1, bool wait=true) + { + if (ptr + itemSize * nItems > end) { + if (ptr + itemSize > end) +@@ -56,7 +56,7 @@ namespace rdr { + // be read without blocking. It returns true if this is the case, false + // otherwise. The length must be "small" (less than the buffer size). + +- inline bool checkNoWait(int length) { return check(length, 1, false)!=0; } ++ inline bool checkNoWait(size_t length) { return check(length, 1, false)!=0; } + + // readU/SN() methods read unsigned and signed N-bit integers. + +@@ -82,9 +82,9 @@ namespace rdr { + + static U32 maxStringLength; + +- inline void skip(int bytes) { ++ inline void skip(size_t bytes) { + while (bytes > 0) { +- int n = check(1, bytes); ++ size_t n = check(1, bytes); + ptr += n; + bytes -= n; + } +@@ -92,11 +92,11 @@ namespace rdr { + + // readBytes() reads an exact number of bytes. + +- void readBytes(void* data, int length) { ++ void readBytes(void* data, size_t length) { + U8* dataPtr = (U8*)data; + U8* dataEnd = dataPtr + length; + while (dataPtr < dataEnd) { +- int n = check(1, dataEnd - dataPtr); ++ size_t n = check(1, dataEnd - dataPtr); + memcpy(dataPtr, ptr, n); + ptr += n; + dataPtr += n; +@@ -114,7 +114,7 @@ namespace rdr { + + // pos() returns the position in the stream. + +- virtual int pos() = 0; ++ virtual size_t pos() = 0; + + // getptr(), getend() and setptr() are "dirty" methods which allow you to + // manipulate the buffer directly. This is useful for a stream which is a +@@ -133,7 +133,7 @@ namespace rdr { + // instead of blocking to wait for the bytes, zero is returned if the bytes + // are not immediately available. + +- virtual int overrun(int itemSize, int nItems, bool wait=true) = 0; ++ virtual size_t overrun(size_t itemSize, size_t nItems, bool wait=true) = 0; + + protected: + +diff --git a/common/rdr/MemInStream.h b/common/rdr/MemInStream.h +index 1a6a798..3e9e77b 100644 +--- a/common/rdr/MemInStream.h ++++ b/common/rdr/MemInStream.h +@@ -36,7 +36,7 @@ namespace rdr { + + public: + +- MemInStream(const void* data, int len, bool deleteWhenDone_=false) ++ MemInStream(const void* data, size_t len, bool deleteWhenDone_=false) + : start((const U8*)data), deleteWhenDone(deleteWhenDone_) + { + ptr = start; +@@ -48,12 +48,12 @@ namespace rdr { + delete [] start; + } + +- int pos() { return ptr - start; } +- void reposition(int pos) { ptr = start + pos; } ++ size_t pos() { return ptr - start; } ++ void reposition(size_t pos) { ptr = start + pos; } + + private: + +- int overrun(int itemSize, int nItems, bool wait) { throw EndOfStream(); } ++ size_t overrun(size_t itemSize, size_t nItems, bool wait) { throw EndOfStream(); } + const U8* start; + bool deleteWhenDone; + }; +diff --git a/common/rdr/MemOutStream.h b/common/rdr/MemOutStream.h +index 3b17e55..4a815b3 100644 +--- a/common/rdr/MemOutStream.h ++++ b/common/rdr/MemOutStream.h +@@ -40,16 +40,16 @@ namespace rdr { + delete [] start; + } + +- void writeBytes(const void* data, int length) { ++ void writeBytes(const void* data, size_t length) { + check(length); + memcpy(ptr, data, length); + ptr += length; + } + +- int length() { return ptr - start; } ++ size_t length() { return ptr - start; } + void clear() { ptr = start; }; + void clearAndZero() { memset(start, 0, ptr-start); clear(); } +- void reposition(int pos) { ptr = start + pos; } ++ void reposition(size_t pos) { ptr = start + pos; } + + // data() returns a pointer to the buffer. + +@@ -60,9 +60,9 @@ namespace rdr { + // overrun() either doubles the buffer or adds enough space for nItems of + // size itemSize bytes. + +- int overrun(int itemSize, int nItems) { +- int len = ptr - start + itemSize * nItems; +- if (len < (end - start) * 2) ++ size_t overrun(size_t itemSize, size_t nItems) { ++ size_t len = ptr - start + itemSize * nItems; ++ if (len < (size_t)(end - start) * 2) + len = (end - start) * 2; + + U8* newStart = new U8[len]; +diff --git a/common/rdr/OutStream.h b/common/rdr/OutStream.h +index a749a20..11aafd2 100644 +--- a/common/rdr/OutStream.h ++++ b/common/rdr/OutStream.h +@@ -44,7 +44,7 @@ namespace rdr { + // itemSize bytes. Returns the number of items which fit (up to a maximum + // of nItems). + +- inline int check(int itemSize, int nItems=1) ++ inline size_t check(size_t itemSize, size_t nItems=1) + { + if (ptr + itemSize * nItems > end) { + if (ptr + itemSize > end) +@@ -76,13 +76,13 @@ namespace rdr { + writeBytes(str, len); + } + +- inline void pad(int bytes) { ++ inline void pad(size_t bytes) { + while (bytes-- > 0) writeU8(0); + } + +- inline void skip(int bytes) { ++ inline void skip(size_t bytes) { + while (bytes > 0) { +- int n = check(1, bytes); ++ size_t n = check(1, bytes); + ptr += n; + bytes -= n; + } +@@ -90,11 +90,11 @@ namespace rdr { + + // writeBytes() writes an exact number of bytes. + +- void writeBytes(const void* data, int length) { ++ void writeBytes(const void* data, size_t length) { + const U8* dataPtr = (const U8*)data; + const U8* dataEnd = dataPtr + length; + while (dataPtr < dataEnd) { +- int n = check(1, dataEnd - dataPtr); ++ size_t n = check(1, dataEnd - dataPtr); + memcpy(ptr, dataPtr, n); + ptr += n; + dataPtr += n; +@@ -103,9 +103,9 @@ namespace rdr { + + // copyBytes() efficiently transfers data between streams + +- void copyBytes(InStream* is, int length) { ++ void copyBytes(InStream* is, size_t length) { + while (length > 0) { +- int n = check(1, length); ++ size_t n = check(1, length); + is->readBytes(ptr, n); + ptr += n; + length -= n; +@@ -124,7 +124,7 @@ namespace rdr { + + // length() returns the length of the stream. + +- virtual int length() = 0; ++ virtual size_t length() = 0; + + // flush() requests that the stream be flushed. + +@@ -145,7 +145,7 @@ namespace rdr { + // the number of items which fit (up to a maximum of nItems). itemSize is + // supposed to be "small" (a few bytes). + +- virtual int overrun(int itemSize, int nItems) = 0; ++ virtual size_t overrun(size_t itemSize, size_t nItems) = 0; + + protected: + +diff --git a/common/rdr/RandomStream.cxx b/common/rdr/RandomStream.cxx +index 3fde18d..7681095 100644 +--- a/common/rdr/RandomStream.cxx ++++ b/common/rdr/RandomStream.cxx +@@ -32,7 +32,7 @@ + + using namespace rdr; + +-const int DEFAULT_BUF_LEN = 256; ++const size_t DEFAULT_BUF_LEN = 256; + + unsigned int RandomStream::seed; + +@@ -83,11 +83,11 @@ RandomStream::~RandomStream() { + #endif + } + +-int RandomStream::pos() { ++size_t RandomStream::pos() { + return offset + ptr - start; + } + +-int RandomStream::overrun(int itemSize, int nItems, bool wait) { ++size_t RandomStream::overrun(size_t itemSize, size_t nItems, bool wait) { + if (itemSize > DEFAULT_BUF_LEN) + throw Exception("RandomStream overrun: max itemSize exceeded"); + +@@ -98,7 +98,7 @@ int RandomStream::overrun(int itemSize, int nItems, bool wait) { + offset += ptr - start; + ptr = start; + +- int length = start + DEFAULT_BUF_LEN - end; ++ size_t length = start + DEFAULT_BUF_LEN - end; + + #ifdef RFB_HAVE_WINCRYPT + if (provider) { +@@ -109,7 +109,7 @@ int RandomStream::overrun(int itemSize, int nItems, bool wait) { + #else + #ifndef WIN32 + if (fp) { +- int n = fread((U8*)end, length, 1, fp); ++ size_t n = fread((U8*)end, length, 1, fp); + if (n != 1) + throw rdr::SystemException("reading /dev/urandom or /dev/random failed", + errno); +@@ -119,11 +119,11 @@ int RandomStream::overrun(int itemSize, int nItems, bool wait) { + { + #endif + #endif +- for (int i=0; i end - ptr) ++ if (itemSize * nItems > (size_t)(end - ptr)) + nItems = (end - ptr) / itemSize; + + return nItems; +diff --git a/common/rdr/RandomStream.h b/common/rdr/RandomStream.h +index c33360d..80b389b 100644 +--- a/common/rdr/RandomStream.h ++++ b/common/rdr/RandomStream.h +@@ -39,14 +39,14 @@ namespace rdr { + RandomStream(); + virtual ~RandomStream(); + +- int pos(); ++ size_t pos(); + + protected: +- int overrun(int itemSize, int nItems, bool wait); ++ size_t overrun(size_t itemSize, size_t nItems, bool wait); + + private: + U8* start; +- int offset; ++ size_t offset; + + static unsigned int seed; + #ifdef RFB_HAVE_WINCRYPT +diff --git a/common/rdr/SubstitutingInStream.h b/common/rdr/SubstitutingInStream.h +index 325b01c..1466fef 100644 +--- a/common/rdr/SubstitutingInStream.h ++++ b/common/rdr/SubstitutingInStream.h +@@ -45,9 +45,9 @@ namespace rdr { + delete [] subst; + } + +- int pos() { return underlying->pos(); } ++ size_t pos() { return underlying->pos(); } + +- virtual int overrun(int itemSize, int nItems, bool wait=true) { ++ virtual size_t overrun(size_t itemSize, size_t nItems, bool wait=true) { + if (itemSize != 1) + throw new rdr::Exception("SubstitutingInStream: itemSize must be 1"); + +diff --git a/common/rdr/TLSInStream.cxx b/common/rdr/TLSInStream.cxx +index 77b1672..d0f9426 100644 +--- a/common/rdr/TLSInStream.cxx ++++ b/common/rdr/TLSInStream.cxx +@@ -75,12 +75,12 @@ TLSInStream::~TLSInStream() + delete[] start; + } + +-int TLSInStream::pos() ++size_t TLSInStream::pos() + { + return offset + ptr - start; + } + +-int TLSInStream::overrun(int itemSize, int nItems, bool wait) ++size_t TLSInStream::overrun(size_t itemSize, size_t nItems, bool wait) + { + if (itemSize > bufSize) + throw Exception("TLSInStream overrun: max itemSize exceeded"); +@@ -93,19 +93,19 @@ int TLSInStream::overrun(int itemSize, int nItems, bool wait) + ptr = start; + + while (end < start + itemSize) { +- int n = readTLS((U8*) end, start + bufSize - end, wait); ++ size_t n = readTLS((U8*) end, start + bufSize - end, wait); + if (!wait && n == 0) + return 0; + end += n; + } + +- if (itemSize * nItems > end - ptr) ++ if (itemSize * nItems > (size_t)(end - ptr)) + nItems = (end - ptr) / itemSize; + + return nItems; + } + +-int TLSInStream::readTLS(U8* buf, int len, bool wait) ++size_t TLSInStream::readTLS(U8* buf, size_t len, bool wait) + { + int n; + +diff --git a/common/rdr/TLSInStream.h b/common/rdr/TLSInStream.h +index b16d9f5..5f9dee7 100644 +--- a/common/rdr/TLSInStream.h ++++ b/common/rdr/TLSInStream.h +@@ -36,17 +36,17 @@ namespace rdr { + TLSInStream(InStream* in, gnutls_session_t session); + virtual ~TLSInStream(); + +- int pos(); ++ size_t pos(); + + private: +- int overrun(int itemSize, int nItems, bool wait); +- int readTLS(U8* buf, int len, bool wait); ++ size_t overrun(size_t itemSize, size_t nItems, bool wait); ++ size_t readTLS(U8* buf, size_t len, bool wait); + static ssize_t pull(gnutls_transport_ptr_t str, void* data, size_t size); + + gnutls_session_t session; + InStream* in; +- int bufSize; +- int offset; ++ size_t bufSize; ++ size_t offset; + U8* start; + }; + }; +diff --git a/common/rdr/TLSOutStream.cxx b/common/rdr/TLSOutStream.cxx +index 44d2d9f..30c456f 100644 +--- a/common/rdr/TLSOutStream.cxx ++++ b/common/rdr/TLSOutStream.cxx +@@ -75,7 +75,7 @@ TLSOutStream::~TLSOutStream() + delete [] start; + } + +-int TLSOutStream::length() ++size_t TLSOutStream::length() + { + return offset + ptr - start; + } +@@ -84,7 +84,7 @@ void TLSOutStream::flush() + { + U8* sentUpTo = start; + while (sentUpTo < ptr) { +- int n = writeTLS(sentUpTo, ptr - sentUpTo); ++ size_t n = writeTLS(sentUpTo, ptr - sentUpTo); + sentUpTo += n; + offset += n; + } +@@ -93,20 +93,20 @@ void TLSOutStream::flush() + out->flush(); + } + +-int TLSOutStream::overrun(int itemSize, int nItems) ++size_t TLSOutStream::overrun(size_t itemSize, size_t nItems) + { + if (itemSize > bufSize) + throw Exception("TLSOutStream overrun: max itemSize exceeded"); + + flush(); + +- if (itemSize * nItems > end - ptr) ++ if (itemSize * nItems > (size_t)(end - ptr)) + nItems = (end - ptr) / itemSize; + + return nItems; + } + +-int TLSOutStream::writeTLS(const U8* data, int length) ++size_t TLSOutStream::writeTLS(const U8* data, size_t length) + { + int n; + +diff --git a/common/rdr/TLSOutStream.h b/common/rdr/TLSOutStream.h +index 81dd237..71a7f3b 100644 +--- a/common/rdr/TLSOutStream.h ++++ b/common/rdr/TLSOutStream.h +@@ -36,20 +36,20 @@ namespace rdr { + virtual ~TLSOutStream(); + + void flush(); +- int length(); ++ size_t length(); + + protected: +- int overrun(int itemSize, int nItems); ++ size_t overrun(size_t itemSize, size_t nItems); + + private: +- int writeTLS(const U8* data, int length); ++ size_t writeTLS(const U8* data, size_t length); + static ssize_t push(gnutls_transport_ptr_t str, const void* data, size_t size); + + gnutls_session_t session; + OutStream* out; +- int bufSize; ++ size_t bufSize; + U8* start; +- int offset; ++ size_t offset; + }; + }; + +diff --git a/common/rdr/ZlibInStream.cxx b/common/rdr/ZlibInStream.cxx +index a361010..e2f971c 100644 +--- a/common/rdr/ZlibInStream.cxx ++++ b/common/rdr/ZlibInStream.cxx +@@ -26,7 +26,7 @@ using namespace rdr; + + enum { DEFAULT_BUF_SIZE = 16384 }; + +-ZlibInStream::ZlibInStream(int bufSize_) ++ZlibInStream::ZlibInStream(size_t bufSize_) + : underlying(0), bufSize(bufSize_ ? bufSize_ : DEFAULT_BUF_SIZE), offset(0), + zs(NULL), bytesIn(0) + { +@@ -40,14 +40,14 @@ ZlibInStream::~ZlibInStream() + delete [] start; + } + +-void ZlibInStream::setUnderlying(InStream* is, int bytesIn_) ++void ZlibInStream::setUnderlying(InStream* is, size_t bytesIn_) + { + underlying = is; + bytesIn = bytesIn_; + ptr = end = start; + } + +-int ZlibInStream::pos() ++size_t ZlibInStream::pos() + { + return offset + ptr - start; + } +@@ -96,7 +96,7 @@ void ZlibInStream::deinit() + zs = NULL; + } + +-int ZlibInStream::overrun(int itemSize, int nItems, bool wait) ++size_t ZlibInStream::overrun(size_t itemSize, size_t nItems, bool wait) + { + if (itemSize > bufSize) + throw Exception("ZlibInStream overrun: max itemSize exceeded"); +@@ -108,12 +108,12 @@ int ZlibInStream::overrun(int itemSize, int nItems, bool wait) + end -= ptr - start; + ptr = start; + +- while (end - ptr < itemSize) { ++ while ((size_t)(end - ptr) < itemSize) { + if (!decompress(wait)) + return 0; + } + +- if (itemSize * nItems > end - ptr) ++ if (itemSize * nItems > (size_t)(end - ptr)) + nItems = (end - ptr) / itemSize; + + return nItems; +@@ -131,11 +131,11 @@ bool ZlibInStream::decompress(bool wait) + zs->next_out = (U8*)end; + zs->avail_out = start + bufSize - end; + +- int n = underlying->check(1, 1, wait); ++ size_t n = underlying->check(1, 1, wait); + if (n == 0) return false; + zs->next_in = (U8*)underlying->getptr(); + zs->avail_in = underlying->getend() - underlying->getptr(); +- if ((int)zs->avail_in > bytesIn) ++ if (zs->avail_in > bytesIn) + zs->avail_in = bytesIn; + + int rc = inflate(zs, Z_SYNC_FLUSH); +diff --git a/common/rdr/ZlibInStream.h b/common/rdr/ZlibInStream.h +index 86ba1ff..08784b0 100644 +--- a/common/rdr/ZlibInStream.h ++++ b/common/rdr/ZlibInStream.h +@@ -34,12 +34,12 @@ namespace rdr { + + public: + +- ZlibInStream(int bufSize=0); ++ ZlibInStream(size_t bufSize=0); + virtual ~ZlibInStream(); + +- void setUnderlying(InStream* is, int bytesIn); ++ void setUnderlying(InStream* is, size_t bytesIn); + void flushUnderlying(); +- int pos(); ++ size_t pos(); + void reset(); + + private: +@@ -47,14 +47,14 @@ namespace rdr { + void init(); + void deinit(); + +- int overrun(int itemSize, int nItems, bool wait); ++ size_t overrun(size_t itemSize, size_t nItems, bool wait); + bool decompress(bool wait); + + InStream* underlying; +- int bufSize; +- int offset; ++ size_t bufSize; ++ size_t offset; + z_stream_s* zs; +- int bytesIn; ++ size_t bytesIn; + U8* start; + }; + +diff --git a/common/rdr/ZlibOutStream.cxx b/common/rdr/ZlibOutStream.cxx +index 9d9f8ba..4e7ffd6 100644 +--- a/common/rdr/ZlibOutStream.cxx ++++ b/common/rdr/ZlibOutStream.cxx +@@ -30,7 +30,7 @@ using namespace rdr; + + enum { DEFAULT_BUF_SIZE = 16384 }; + +-ZlibOutStream::ZlibOutStream(OutStream* os, int bufSize_, int compressLevel) ++ZlibOutStream::ZlibOutStream(OutStream* os, size_t bufSize_, int compressLevel) + : underlying(os), compressionLevel(compressLevel), newLevel(compressLevel), + bufSize(bufSize_ ? bufSize_ : DEFAULT_BUF_SIZE), offset(0) + { +@@ -72,7 +72,7 @@ void ZlibOutStream::setCompressionLevel(int level) + newLevel = level; + } + +-int ZlibOutStream::length() ++size_t ZlibOutStream::length() + { + return offset + ptr - start; + } +@@ -95,7 +95,7 @@ void ZlibOutStream::flush() + ptr = start; + } + +-int ZlibOutStream::overrun(int itemSize, int nItems) ++size_t ZlibOutStream::overrun(size_t itemSize, size_t nItems) + { + #ifdef ZLIBOUT_DEBUG + fprintf(stderr,"zos overrun\n"); +@@ -106,7 +106,7 @@ int ZlibOutStream::overrun(int itemSize, int nItems) + + checkCompressionLevel(); + +- while (end - ptr < itemSize) { ++ while ((size_t)(end - ptr) < itemSize) { + zs->next_in = start; + zs->avail_in = ptr - start; + +@@ -127,7 +127,7 @@ int ZlibOutStream::overrun(int itemSize, int nItems) + } + } + +- if (itemSize * nItems > end - ptr) ++ if (itemSize * nItems > (size_t)(end - ptr)) + nItems = (end - ptr) / itemSize; + + return nItems; +diff --git a/common/rdr/ZlibOutStream.h b/common/rdr/ZlibOutStream.h +index 2d82a13..11bb046 100644 +--- a/common/rdr/ZlibOutStream.h ++++ b/common/rdr/ZlibOutStream.h +@@ -35,25 +35,25 @@ namespace rdr { + + public: + +- ZlibOutStream(OutStream* os=0, int bufSize=0, int compressionLevel=-1); ++ ZlibOutStream(OutStream* os=0, size_t bufSize=0, int compressionLevel=-1); + virtual ~ZlibOutStream(); + + void setUnderlying(OutStream* os); + void setCompressionLevel(int level=-1); + void flush(); +- int length(); ++ size_t length(); + + private: + +- int overrun(int itemSize, int nItems); ++ size_t overrun(size_t itemSize, size_t nItems); + void deflate(int flush); + void checkCompressionLevel(); + + OutStream* underlying; + int compressionLevel; + int newLevel; +- int bufSize; +- int offset; ++ size_t bufSize; ++ size_t offset; + z_stream_s* zs; + U8* start; + }; +diff --git a/common/rfb/Configuration.cxx b/common/rfb/Configuration.cxx +index 619c4d5..f35b0bc 100644 +--- a/common/rfb/Configuration.cxx ++++ b/common/rfb/Configuration.cxx +@@ -421,7 +421,7 @@ StringParameter::operator const char *() const { + // -=- BinaryParameter + + BinaryParameter::BinaryParameter(const char* name_, const char* desc_, +- const void* v, int l, ConfigurationObject co) ++ const void* v, size_t l, ConfigurationObject co) + : VoidParameter(name_, desc_, co), value(0), length(0), def_value((char*)v), def_length(l) { + if (l) { + value = new char[l]; +@@ -441,7 +441,7 @@ bool BinaryParameter::setParam(const char* v) { + return rdr::HexInStream::hexStrToBin(v, &value, &length); + } + +-void BinaryParameter::setParam(const void* v, int len) { ++void BinaryParameter::setParam(const void* v, size_t len) { + LOCK_CONFIG; + if (immutable) return; + vlog.debug("set %s(Binary)", getName()); +@@ -462,7 +462,7 @@ char* BinaryParameter::getValueStr() const { + return rdr::HexOutStream::binToHexStr(value, length); + } + +-void BinaryParameter::getData(void** data_, int* length_) const { ++void BinaryParameter::getData(void** data_, size_t* length_) const { + LOCK_CONFIG; + if (length_) *length_ = length; + if (data_) { +diff --git a/common/rfb/Configuration.h b/common/rfb/Configuration.h +index 6197317..e23e8a5 100644 +--- a/common/rfb/Configuration.h ++++ b/common/rfb/Configuration.h +@@ -256,24 +256,25 @@ namespace rfb { + + class BinaryParameter : public VoidParameter { + public: +- BinaryParameter(const char* name_, const char* desc_, const void* v, int l, +- ConfigurationObject co=ConfGlobal); ++ BinaryParameter(const char* name_, const char* desc_, ++ const void* v, size_t l, ++ ConfigurationObject co=ConfGlobal); + using VoidParameter::setParam; + virtual ~BinaryParameter(); + virtual bool setParam(const char* value); +- virtual void setParam(const void* v, int l); ++ virtual void setParam(const void* v, size_t l); + virtual char* getDefaultStr() const; + virtual char* getValueStr() const; + + // getData() will return length zero if there is no data + // NB: data may be set to zero, OR set to a zero-length buffer +- void getData(void** data, int* length) const; ++ void getData(void** data, size_t* length) const; + + protected: + char* value; +- int length; ++ size_t length; + char* def_value; +- int def_length; ++ size_t def_length; + }; + + // -=- ParameterIterator +diff --git a/common/rfb/Password.cxx b/common/rfb/Password.cxx +index 240c9d4..e4a508c 100644 +--- a/common/rfb/Password.cxx ++++ b/common/rfb/Password.cxx +@@ -38,7 +38,7 @@ PlainPasswd::PlainPasswd() {} + PlainPasswd::PlainPasswd(char* pwd) : CharArray(pwd) { + } + +-PlainPasswd::PlainPasswd(int len) : CharArray(len) { ++PlainPasswd::PlainPasswd(size_t len) : CharArray(len) { + } + + PlainPasswd::PlainPasswd(const ObfuscatedPasswd& obfPwd) : CharArray(9) { +@@ -63,11 +63,11 @@ void PlainPasswd::replaceBuf(char* b) { + ObfuscatedPasswd::ObfuscatedPasswd() : length(0) { + } + +-ObfuscatedPasswd::ObfuscatedPasswd(int len) : CharArray(len), length(len) { ++ObfuscatedPasswd::ObfuscatedPasswd(size_t len) : CharArray(len), length(len) { + } + + ObfuscatedPasswd::ObfuscatedPasswd(const PlainPasswd& plainPwd) : CharArray(8), length(8) { +- int l = strlen(plainPwd.buf), i; ++ size_t l = strlen(plainPwd.buf), i; + for (i=0; i<8; i++) + buf[i] = i end - ptr) ++ if (itemSize * nItems > (size_t)(end - ptr)) + nItems = (end - ptr) / itemSize; + return nItems; + } +diff --git a/win/rfb_win32/Registry.cxx b/win/rfb_win32/Registry.cxx +index 963a36a..87086ad 100644 +--- a/win/rfb_win32/Registry.cxx ++++ b/win/rfb_win32/Registry.cxx +@@ -146,7 +146,7 @@ void RegKey::setString(const TCHAR* valname, const TCHAR* value) const { + if (result != ERROR_SUCCESS) throw rdr::SystemException("setString", result); + } + +-void RegKey::setBinary(const TCHAR* valname, const void* value, int length) const { ++void RegKey::setBinary(const TCHAR* valname, const void* value, size_t length) const { + LONG result = RegSetValueEx(key, valname, 0, REG_BINARY, (const BYTE*)value, length); + if (result != ERROR_SUCCESS) throw rdr::SystemException("setBinary", result); + } +@@ -169,12 +169,12 @@ TCHAR* RegKey::getString(const TCHAR* valname, const TCHAR* def) const { + } + } + +-void RegKey::getBinary(const TCHAR* valname, void** data, int* length) const { ++void RegKey::getBinary(const TCHAR* valname, void** data, size_t* length) const { + TCharArray hex(getRepresentation(valname)); + if (!rdr::HexInStream::hexStrToBin(CStr(hex.buf), (char**)data, length)) + throw rdr::Exception("getBinary failed"); + } +-void RegKey::getBinary(const TCHAR* valname, void** data, int* length, void* def, int deflen) const { ++void RegKey::getBinary(const TCHAR* valname, void** data, size_t* length, void* def, size_t deflen) const { + try { + getBinary(valname, data, length); + } catch(rdr::Exception&) { +diff --git a/win/rfb_win32/Registry.h b/win/rfb_win32/Registry.h +index 68d535c..2bb1691 100644 +--- a/win/rfb_win32/Registry.h ++++ b/win/rfb_win32/Registry.h +@@ -71,15 +71,15 @@ namespace rfb { + + void setExpandString(const TCHAR* valname, const TCHAR* s) const; + void setString(const TCHAR* valname, const TCHAR* s) const; +- void setBinary(const TCHAR* valname, const void* data, int length) const; ++ void setBinary(const TCHAR* valname, const void* data, size_t length) const; + void setInt(const TCHAR* valname, int i) const; + void setBool(const TCHAR* valname, bool b) const; + + TCHAR* getString(const TCHAR* valname) const; + TCHAR* getString(const TCHAR* valname, const TCHAR* def) const; + +- void getBinary(const TCHAR* valname, void** data, int* length) const; +- void getBinary(const TCHAR* valname, void** data, int* length, void* def, int deflength) const; ++ void getBinary(const TCHAR* valname, void** data, size_t* length) const; ++ void getBinary(const TCHAR* valname, void** data, size_t* length, void* def, size_t deflength) const; + + int getInt(const TCHAR* valname) const; + int getInt(const TCHAR* valname, int def) const; diff --git a/SOURCES/tigervnc-CVE-2019-15695.patch b/SOURCES/tigervnc-CVE-2019-15695.patch new file mode 100644 index 0000000..44c380c --- /dev/null +++ b/SOURCES/tigervnc-CVE-2019-15695.patch @@ -0,0 +1,17 @@ +diff --git a/common/rfb/PixelFormat.cxx b/common/rfb/PixelFormat.cxx +index a9d015d..896f4e5 100644 +--- a/common/rfb/PixelFormat.cxx ++++ b/common/rfb/PixelFormat.cxx +@@ -200,6 +200,12 @@ bool PixelFormat::is888(void) const + return false; + if (blueMax != 255) + return false; ++ if ((redShift & 0x7) != 0) ++ return false; ++ if ((greenShift & 0x7) != 0) ++ return false; ++ if ((blueShift & 0x7) != 0) ++ return false; + + return true; + } diff --git a/SOURCES/tigervnc-add-write-protection-to-offsetpixelbuffer.patch b/SOURCES/tigervnc-add-write-protection-to-offsetpixelbuffer.patch new file mode 100644 index 0000000..39216f2 --- /dev/null +++ b/SOURCES/tigervnc-add-write-protection-to-offsetpixelbuffer.patch @@ -0,0 +1,51 @@ +From 9f615301aba1cc54a749950bf9462c5a85217bc4 Mon Sep 17 00:00:00 2001 +From: Pierre Ossman +Date: Tue, 10 Sep 2019 15:25:30 +0200 +Subject: [PATCH] Add write protection to OffsetPixelBuffer + +No one should every try to write to this buffer. Enforce that by +throwing an exception if any one tries to get a writeable pointer +to the data. +--- + common/rfb/EncodeManager.cxx | 6 ++++++ + common/rfb/EncodeManager.h | 3 +++ + 2 files changed, 9 insertions(+) + +diff --git a/common/rfb/EncodeManager.cxx b/common/rfb/EncodeManager.cxx +index 1653cea..66ba432 100644 +--- a/common/rfb/EncodeManager.cxx ++++ b/common/rfb/EncodeManager.cxx +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -895,6 +896,11 @@ void EncodeManager::OffsetPixelBuffer::update(const PixelFormat& pf, + setBuffer(width, height, (rdr::U8*)data_, stride_); + } + ++rdr::U8* EncodeManager::OffsetPixelBuffer::getBufferRW(const Rect& r, int* stride) ++{ ++ throw rfb::Exception("Invalid write attempt to OffsetPixelBuffer"); ++} ++ + // Preprocessor generated, optimised methods + + #define BPP 8 +diff --git a/common/rfb/EncodeManager.h b/common/rfb/EncodeManager.h +index 79db950..7d47420 100644 +--- a/common/rfb/EncodeManager.h ++++ b/common/rfb/EncodeManager.h +@@ -124,6 +124,9 @@ namespace rfb { + + void update(const PixelFormat& pf, int width, int height, + const rdr::U8* data_, int stride); ++ ++ private: ++ virtual rdr::U8* getBufferRW(const Rect& r, int* stride); + }; + + OffsetPixelBuffer offsetPixelBuffer; diff --git a/SOURCES/tigervnc-be-defensive-about-overflows-in-stream-objects.patch b/SOURCES/tigervnc-be-defensive-about-overflows-in-stream-objects.patch new file mode 100644 index 0000000..032d4c7 --- /dev/null +++ b/SOURCES/tigervnc-be-defensive-about-overflows-in-stream-objects.patch @@ -0,0 +1,355 @@ +From 75e6e0653a48baf474fd45d78b1da53e2f324642 Mon Sep 17 00:00:00 2001 +From: Pierre Ossman +Date: Tue, 24 Sep 2019 09:41:07 +0200 +Subject: [PATCH] Be defensive about overflows in stream objects + +We use a lot of lengths given to us over the network, so be more +paranoid about them causing an overflow as otherwise an attacker +might trick us in to overwriting other memory. + +This primarily affects the client which often gets lengths from the +server, but there are also some scenarios where the server might +theoretically be vulnerable. + +Issue found by Pavel Cheremushkin from Kaspersky Lab. +--- + common/rdr/FdInStream.cxx | 8 +++++--- + common/rdr/FdOutStream.cxx | 7 ++++--- + common/rdr/FileInStream.cxx | 8 +++++--- + common/rdr/HexInStream.cxx | 8 +++++--- + common/rdr/HexOutStream.cxx | 6 ++++-- + common/rdr/InStream.h | 24 +++++++++++++----------- + common/rdr/MemOutStream.h | 4 ++++ + common/rdr/OutStream.h | 24 +++++++++++++----------- + common/rdr/RandomStream.cxx | 6 ++++-- + common/rdr/TLSInStream.cxx | 10 ++++++---- + common/rdr/TLSOutStream.cxx | 6 ++++-- + common/rdr/ZlibInStream.cxx | 6 ++++-- + common/rdr/ZlibOutStream.cxx | 6 ++++-- + 13 files changed, 75 insertions(+), 48 deletions(-) + +diff --git a/common/rdr/FdInStream.cxx b/common/rdr/FdInStream.cxx +index 789cbec..406ece5 100644 +--- a/common/rdr/FdInStream.cxx ++++ b/common/rdr/FdInStream.cxx +@@ -136,7 +136,7 @@ size_t FdInStream::overrun(size_t itemSize, size_t nItems, bool wait) + ptr = start; + + size_t bytes_to_read; +- while (end < start + itemSize) { ++ while ((size_t)(end - start) < itemSize) { + bytes_to_read = start + bufSize - end; + if (!timing) { + // When not timing, we must be careful not to read too much +@@ -152,8 +152,10 @@ size_t FdInStream::overrun(size_t itemSize, size_t nItems, bool wait) + end += n; + } + +- if (itemSize * nItems > (size_t)(end - ptr)) +- nItems = (end - ptr) / itemSize; ++ size_t nAvail; ++ nAvail = (end - ptr) / itemSize; ++ if (nAvail < nItems) ++ return nAvail; + + return nItems; + } +diff --git a/common/rdr/FdOutStream.cxx b/common/rdr/FdOutStream.cxx +index 1757dc3..f5d07e4 100644 +--- a/common/rdr/FdOutStream.cxx ++++ b/common/rdr/FdOutStream.cxx +@@ -149,9 +149,10 @@ size_t FdOutStream::overrun(size_t itemSize, size_t nItems) + } + } + +- // Can we fit all the items asked for? +- if (itemSize * nItems > (size_t)(end - ptr)) +- nItems = (end - ptr) / itemSize; ++ size_t nAvail; ++ nAvail = (end - ptr) / itemSize; ++ if (nAvail < nItems) ++ return nAvail; + + return nItems; + } +diff --git a/common/rdr/FileInStream.cxx b/common/rdr/FileInStream.cxx +index 94f5db8..bdb05a3 100644 +--- a/common/rdr/FileInStream.cxx ++++ b/common/rdr/FileInStream.cxx +@@ -68,7 +68,7 @@ size_t FileInStream::overrun(size_t itemSize, size_t nItems, bool wait) + ptr = b; + + +- while (end < b + itemSize) { ++ while ((size_t)(end - b) < itemSize) { + size_t n = fread((U8 *)end, b + sizeof(b) - end, 1, file); + if (n == 0) { + if (ferror(file)) +@@ -80,8 +80,10 @@ size_t FileInStream::overrun(size_t itemSize, size_t nItems, bool wait) + end += b + sizeof(b) - end; + } + +- if (itemSize * nItems > (size_t)(end - ptr)) +- nItems = (end - ptr) / itemSize; ++ size_t nAvail; ++ nAvail = (end - ptr) / itemSize; ++ if (nAvail < nItems) ++ return nAvail; + + return nItems; + } +diff --git a/common/rdr/HexInStream.cxx b/common/rdr/HexInStream.cxx +index 8f93988..a6bc92c 100644 +--- a/common/rdr/HexInStream.cxx ++++ b/common/rdr/HexInStream.cxx +@@ -91,7 +91,7 @@ size_t HexInStream::overrun(size_t itemSize, size_t nItems, bool wait) { + offset += ptr - start; + ptr = start; + +- while (end < ptr + itemSize) { ++ while ((size_t)(end - ptr) < itemSize) { + size_t n = in_stream.check(2, 1, wait); + if (n == 0) return 0; + const U8* iptr = in_stream.getptr(); +@@ -110,8 +110,10 @@ size_t HexInStream::overrun(size_t itemSize, size_t nItems, bool wait) { + end += length; + } + +- if (itemSize * nItems > (size_t)(end - ptr)) +- nItems = (end - ptr) / itemSize; ++ size_t nAvail; ++ nAvail = (end - ptr) / itemSize; ++ if (nAvail < nItems) ++ return nAvail; + + return nItems; + } +diff --git a/common/rdr/HexOutStream.cxx b/common/rdr/HexOutStream.cxx +index 7232514..eac2eff 100644 +--- a/common/rdr/HexOutStream.cxx ++++ b/common/rdr/HexOutStream.cxx +@@ -102,8 +102,10 @@ HexOutStream::overrun(size_t itemSize, size_t nItems) { + + writeBuffer(); + +- if (itemSize * nItems > (size_t)(end - ptr)) +- nItems = (end - ptr) / itemSize; ++ size_t nAvail; ++ nAvail = (end - ptr) / itemSize; ++ if (nAvail < nItems) ++ return nAvail; + + return nItems; + } +diff --git a/common/rdr/InStream.h b/common/rdr/InStream.h +index 14ecf09..f71a4d9 100644 +--- a/common/rdr/InStream.h ++++ b/common/rdr/InStream.h +@@ -43,12 +43,15 @@ namespace rdr { + + inline size_t check(size_t itemSize, size_t nItems=1, bool wait=true) + { +- if (ptr + itemSize * nItems > end) { +- if (ptr + itemSize > end) +- return overrun(itemSize, nItems, wait); ++ size_t nAvail; ++ ++ if (itemSize > (size_t)(end - ptr)) ++ return overrun(itemSize, nItems, wait); ++ ++ nAvail = (end - ptr) / itemSize; ++ if (nAvail < nItems) ++ return nAvail; + +- nItems = (end - ptr) / itemSize; +- } + return nItems; + } + +@@ -93,13 +96,12 @@ namespace rdr { + // readBytes() reads an exact number of bytes. + + void readBytes(void* data, size_t length) { +- U8* dataPtr = (U8*)data; +- U8* dataEnd = dataPtr + length; +- while (dataPtr < dataEnd) { +- size_t n = check(1, dataEnd - dataPtr); +- memcpy(dataPtr, ptr, n); ++ while (length > 0) { ++ size_t n = check(1, length); ++ memcpy(data, ptr, n); + ptr += n; +- dataPtr += n; ++ data = (U8*)data + n; ++ length -= n; + } + } + +diff --git a/common/rdr/MemOutStream.h b/common/rdr/MemOutStream.h +index 4a815b3..b56bac3 100644 +--- a/common/rdr/MemOutStream.h ++++ b/common/rdr/MemOutStream.h +@@ -23,6 +23,7 @@ + #ifndef __RDR_MEMOUTSTREAM_H__ + #define __RDR_MEMOUTSTREAM_H__ + ++#include + #include + + namespace rdr { +@@ -65,6 +66,9 @@ namespace rdr { + if (len < (size_t)(end - start) * 2) + len = (end - start) * 2; + ++ if (len < (size_t)(end - start)) ++ throw Exception("Overflow in MemOutStream::overrun()"); ++ + U8* newStart = new U8[len]; + memcpy(newStart, start, ptr - start); + ptr = newStart + (ptr - start); +diff --git a/common/rdr/OutStream.h b/common/rdr/OutStream.h +index 11aafd2..0f60ccc 100644 +--- a/common/rdr/OutStream.h ++++ b/common/rdr/OutStream.h +@@ -46,12 +46,15 @@ namespace rdr { + + inline size_t check(size_t itemSize, size_t nItems=1) + { +- if (ptr + itemSize * nItems > end) { +- if (ptr + itemSize > end) +- return overrun(itemSize, nItems); ++ size_t nAvail; ++ ++ if (itemSize > (size_t)(end - ptr)) ++ return overrun(itemSize, nItems); ++ ++ nAvail = (end - ptr) / itemSize; ++ if (nAvail < nItems) ++ return nAvail; + +- nItems = (end - ptr) / itemSize; +- } + return nItems; + } + +@@ -91,13 +94,12 @@ namespace rdr { + // writeBytes() writes an exact number of bytes. + + void writeBytes(const void* data, size_t length) { +- const U8* dataPtr = (const U8*)data; +- const U8* dataEnd = dataPtr + length; +- while (dataPtr < dataEnd) { +- size_t n = check(1, dataEnd - dataPtr); +- memcpy(ptr, dataPtr, n); ++ while (length > 0) { ++ size_t n = check(1, length); ++ memcpy(ptr, data, n); + ptr += n; +- dataPtr += n; ++ data = (U8*)data + n; ++ length -= n; + } + } + +diff --git a/common/rdr/RandomStream.cxx b/common/rdr/RandomStream.cxx +index 7681095..6c64ac5 100644 +--- a/common/rdr/RandomStream.cxx ++++ b/common/rdr/RandomStream.cxx +@@ -123,8 +123,10 @@ size_t RandomStream::overrun(size_t itemSize, size_t nItems, bool wait) { + *(U8*)end++ = (int) (256.0*rand()/(RAND_MAX+1.0)); + } + +- if (itemSize * nItems > (size_t)(end - ptr)) +- nItems = (end - ptr) / itemSize; ++ size_t nAvail; ++ nAvail = (end - ptr) / itemSize; ++ if (nAvail < nItems) ++ return nAvail; + + return nItems; + } +diff --git a/common/rdr/TLSInStream.cxx b/common/rdr/TLSInStream.cxx +index d0f9426..3e1172f 100644 +--- a/common/rdr/TLSInStream.cxx ++++ b/common/rdr/TLSInStream.cxx +@@ -43,7 +43,7 @@ ssize_t TLSInStream::pull(gnutls_transport_ptr_t str, void* data, size_t size) + return -1; + } + +- if (in->getend() - in->getptr() < (ptrdiff_t)size) ++ if ((size_t)(in->getend() - in->getptr()) < size) + size = in->getend() - in->getptr(); + + in->readBytes(data, size); +@@ -92,15 +92,17 @@ size_t TLSInStream::overrun(size_t itemSize, size_t nItems, bool wait) + end -= ptr - start; + ptr = start; + +- while (end < start + itemSize) { ++ while ((size_t)(end - start) < itemSize) { + size_t n = readTLS((U8*) end, start + bufSize - end, wait); + if (!wait && n == 0) + return 0; + end += n; + } + +- if (itemSize * nItems > (size_t)(end - ptr)) +- nItems = (end - ptr) / itemSize; ++ size_t nAvail; ++ nAvail = (end - ptr) / itemSize; ++ if (nAvail < nItems) ++ return nAvail; + + return nItems; + } +diff --git a/common/rdr/TLSOutStream.cxx b/common/rdr/TLSOutStream.cxx +index 30c456f..7d7c3b5 100644 +--- a/common/rdr/TLSOutStream.cxx ++++ b/common/rdr/TLSOutStream.cxx +@@ -100,8 +100,10 @@ size_t TLSOutStream::overrun(size_t itemSize, size_t nItems) + + flush(); + +- if (itemSize * nItems > (size_t)(end - ptr)) +- nItems = (end - ptr) / itemSize; ++ size_t nAvail; ++ nAvail = (end - ptr) / itemSize; ++ if (nAvail < nItems) ++ return nAvail; + + return nItems; + } +diff --git a/common/rdr/ZlibInStream.cxx b/common/rdr/ZlibInStream.cxx +index e2f971c..9fcfaf6 100644 +--- a/common/rdr/ZlibInStream.cxx ++++ b/common/rdr/ZlibInStream.cxx +@@ -113,8 +113,10 @@ size_t ZlibInStream::overrun(size_t itemSize, size_t nItems, bool wait) + return 0; + } + +- if (itemSize * nItems > (size_t)(end - ptr)) +- nItems = (end - ptr) / itemSize; ++ size_t nAvail; ++ nAvail = (end - ptr) / itemSize; ++ if (nAvail < nItems) ++ return nAvail; + + return nItems; + } +diff --git a/common/rdr/ZlibOutStream.cxx b/common/rdr/ZlibOutStream.cxx +index 4e7ffd6..5e158bf 100644 +--- a/common/rdr/ZlibOutStream.cxx ++++ b/common/rdr/ZlibOutStream.cxx +@@ -127,8 +127,10 @@ size_t ZlibOutStream::overrun(size_t itemSize, size_t nItems) + } + } + +- if (itemSize * nItems > (size_t)(end - ptr)) +- nItems = (end - ptr) / itemSize; ++ size_t nAvail; ++ nAvail = (end - ptr) / itemSize; ++ if (nAvail < nItems) ++ return nAvail; + + return nItems; + } diff --git a/SOURCES/tigervnc-encapsulate-pixelbuffer-internal-details.patch b/SOURCES/tigervnc-encapsulate-pixelbuffer-internal-details.patch new file mode 100644 index 0000000..795a8f1 --- /dev/null +++ b/SOURCES/tigervnc-encapsulate-pixelbuffer-internal-details.patch @@ -0,0 +1,526 @@ +From 53f913a76196c7357d4858bfbf2c33caa9181bae Mon Sep 17 00:00:00 2001 +From: Pierre Ossman +Date: Tue, 10 Sep 2019 15:18:30 +0200 +Subject: [PATCH] Encapsulate PixelBuffer internal details + +Don't allow subclasses to just override dimensions or buffer details +directly and instead force them to go via methods. This allows us +to do sanity checks on the new values and catch bugs and attacks. +--- + common/rfb/Cursor.cxx | 3 +- + common/rfb/EncodeManager.cxx | 5 +- + common/rfb/PixelBuffer.cxx | 103 ++++++++++++++++---------- + common/rfb/PixelBuffer.h | 17 +++-- + unix/x0vncserver/XPixelBuffer.cxx | 9 +-- + unix/xserver/hw/vnc/XserverDesktop.cc | 24 +++--- + unix/xserver/hw/vnc/XserverDesktop.h | 2 +- + vncviewer/PlatformPixelBuffer.cxx | 9 +-- + win/rfb_win32/DIBSectionBuffer.cxx | 41 ++++------ + 9 files changed, 111 insertions(+), 102 deletions(-) + +diff --git a/common/rfb/Cursor.cxx b/common/rfb/Cursor.cxx +index 99df82d..7f3fc9a 100644 +--- a/common/rfb/Cursor.cxx ++++ b/common/rfb/Cursor.cxx +@@ -271,8 +271,7 @@ void RenderedCursor::update(PixelBuffer* framebuffer, + assert(cursor); + + format = framebuffer->getPF(); +- width_ = framebuffer->width(); +- height_ = framebuffer->height(); ++ setSize(framebuffer->width(), framebuffer->height()); + + rawOffset = pos.subtract(cursor->hotspot()); + clippedRect = Rect(0, 0, cursor->width(), cursor->height()) +diff --git a/common/rfb/EncodeManager.cxx b/common/rfb/EncodeManager.cxx +index 0ce611e..11f31d3 100644 +--- a/common/rfb/EncodeManager.cxx ++++ b/common/rfb/EncodeManager.cxx +@@ -979,11 +979,8 @@ void EncodeManager::OffsetPixelBuffer::update(const PixelFormat& pf, + int stride_) + { + format = pf; +- width_ = width; +- height_ = height; + // Forced cast. We never write anything though, so it should be safe. +- data = (rdr::U8*)data_; +- stride = stride_; ++ setBuffer(width, height, (rdr::U8*)data_, stride_); + } + + // Preprocessor generated, optimised methods +diff --git a/common/rfb/PixelBuffer.cxx b/common/rfb/PixelBuffer.cxx +index 007b6c8..ad58324 100644 +--- a/common/rfb/PixelBuffer.cxx ++++ b/common/rfb/PixelBuffer.cxx +@@ -35,8 +35,14 @@ static LogWriter vlog("PixelBuffer"); + // -=- Generic pixel buffer class + + PixelBuffer::PixelBuffer(const PixelFormat& pf, int w, int h) +- : format(pf), width_(w), height_(h) {} +-PixelBuffer::PixelBuffer() : width_(0), height_(0) {} ++ : format(pf), width_(0), height_(0) ++{ ++ setSize(w, h); ++} ++ ++PixelBuffer::PixelBuffer() : width_(0), height_(0) ++{ ++} + + PixelBuffer::~PixelBuffer() {} + +@@ -53,7 +59,7 @@ PixelBuffer::getImage(void* imageBuf, const Rect& r, int outStride) const + if (!r.enclosed_by(getRect())) + throw rfb::Exception("Source rect %dx%d at %d,%d exceeds framebuffer %dx%d", + r.width(), r.height(), +- r.tl.x, r.tl.y, width_, height_); ++ r.tl.x, r.tl.y, width(), height()); + + data = getBuffer(r, &inStride); + +@@ -89,7 +95,7 @@ void PixelBuffer::getImage(const PixelFormat& pf, void* imageBuf, + if (!r.enclosed_by(getRect())) + throw rfb::Exception("Source rect %dx%d at %d,%d exceeds framebuffer %dx%d", + r.width(), r.height(), +- r.tl.x, r.tl.y, width_, height_); ++ r.tl.x, r.tl.y, width(), height()); + + if (stride == 0) + stride = r.width(); +@@ -100,6 +106,12 @@ void PixelBuffer::getImage(const PixelFormat& pf, void* imageBuf, + stride, srcStride); + } + ++void PixelBuffer::setSize(int width, int height) ++{ ++ width_ = width; ++ height_ = height; ++} ++ + // -=- Modifiable generic pixel buffer class + + ModifiablePixelBuffer::ModifiablePixelBuffer(const PixelFormat& pf, +@@ -124,7 +136,7 @@ void ModifiablePixelBuffer::fillRect(const Rect& r, const void* pix) + + if (!r.enclosed_by(getRect())) + throw rfb::Exception("Destination rect %dx%d at %d,%d exceeds framebuffer %dx%d", +- r.width(), r.height(), r.tl.x, r.tl.y, width_, height_); ++ r.width(), r.height(), r.tl.x, r.tl.y, width(), height()); + + w = r.width(); + h = r.height(); +@@ -175,7 +187,7 @@ void ModifiablePixelBuffer::imageRect(const Rect& r, + if (!r.enclosed_by(getRect())) + throw rfb::Exception("Destination rect %dx%d at %d,%d exceeds framebuffer %dx%d", + r.width(), r.height(), +- r.tl.x, r.tl.y, width_, height_); ++ r.tl.x, r.tl.y, width(), height()); + + bytesPerPixel = getPF().bpp/8; + +@@ -213,13 +225,13 @@ void ModifiablePixelBuffer::copyRect(const Rect &rect, + if (!drect.enclosed_by(getRect())) + throw rfb::Exception("Destination rect %dx%d at %d,%d exceeds framebuffer %dx%d", + drect.width(), drect.height(), +- drect.tl.x, drect.tl.y, width_, height_); ++ drect.tl.x, drect.tl.y, width(), height()); + + srect = drect.translate(move_by_delta.negate()); + if (!srect.enclosed_by(getRect())) + throw rfb::Exception("Source rect %dx%d at %d,%d exceeds framebuffer %dx%d", + srect.width(), srect.height(), +- srect.tl.x, srect.tl.y, width_, height_); ++ srect.tl.x, srect.tl.y, width(), height()); + + srcData = getBuffer(srect, &srcStride); + dstData = getBufferRW(drect, &dstStride); +@@ -272,7 +284,7 @@ void ModifiablePixelBuffer::imageRect(const PixelFormat& pf, const Rect &dest, + if (!dest.enclosed_by(getRect())) + throw rfb::Exception("Destination rect %dx%d at %d,%d exceeds framebuffer %dx%d", + dest.width(), dest.height(), +- dest.tl.x, dest.tl.y, width_, height_); ++ dest.tl.x, dest.tl.y, width(), height()); + + if (stride == 0) + stride = dest.width(); +@@ -301,7 +313,7 @@ rdr::U8* FullFramePixelBuffer::getBufferRW(const Rect& r, int* stride_) + if (!r.enclosed_by(getRect())) + throw rfb::Exception("Pixel buffer request %dx%d at %d,%d exceeds framebuffer %dx%d", + r.width(), r.height(), +- r.tl.x, r.tl.y, width_, height_); ++ r.tl.x, r.tl.y, width(), height()); + + *stride_ = stride; + return &data[(r.tl.x + (r.tl.y * stride)) * format.bpp/8]; +@@ -316,55 +328,69 @@ const rdr::U8* FullFramePixelBuffer::getBuffer(const Rect& r, int* stride_) cons + if (!r.enclosed_by(getRect())) + throw rfb::Exception("Pixel buffer request %dx%d at %d,%d exceeds framebuffer %dx%d", + r.width(), r.height(), +- r.tl.x, r.tl.y, width_, height_); ++ r.tl.x, r.tl.y, width(), height()); + + *stride_ = stride; + return &data[(r.tl.x + (r.tl.y * stride)) * format.bpp/8]; + } + ++void FullFramePixelBuffer::setBuffer(int width, int height, ++ rdr::U8* data_, int stride_) ++{ ++ ModifiablePixelBuffer::setSize(width, height); ++ stride = stride_; ++ data = data_; ++} ++ ++void FullFramePixelBuffer::setSize(int w, int h) ++{ ++ // setBuffer() should be used ++ throw rfb::Exception("Invalid call to FullFramePixelBuffer::setSize()"); ++} ++ + // -=- Managed pixel buffer class + // Automatically allocates enough space for the specified format & area + + ManagedPixelBuffer::ManagedPixelBuffer() +- : datasize(0) ++ : data_(NULL), datasize(0) + { +- checkDataSize(); + }; + + ManagedPixelBuffer::ManagedPixelBuffer(const PixelFormat& pf, int w, int h) +- : FullFramePixelBuffer(pf, w, h, NULL, w), datasize(0) ++ : FullFramePixelBuffer(pf, 0, 0, NULL, 0), data_(NULL), datasize(0) + { +- checkDataSize(); +-}; ++ setSize(w, h); ++} + +-ManagedPixelBuffer::~ManagedPixelBuffer() { +- if (data) delete [] data; +-}; ++ManagedPixelBuffer::~ManagedPixelBuffer() ++{ ++ if (data_) ++ delete [] data_; ++} + ++void ManagedPixelBuffer::setPF(const PixelFormat &pf) ++{ ++ format = pf; ++ setSize(width(), height()); ++} + +-void +-ManagedPixelBuffer::setPF(const PixelFormat &pf) { +- format = pf; checkDataSize(); +-}; +-void +-ManagedPixelBuffer::setSize(int w, int h) { +- width_ = w; height_ = h; stride = w; checkDataSize(); +-}; ++void ManagedPixelBuffer::setSize(int w, int h) ++{ ++ unsigned long new_datasize = w * h * (format.bpp/8); + ++ new_datasize = w * h * (format.bpp/8); + +-inline void +-ManagedPixelBuffer::checkDataSize() { +- unsigned long new_datasize = width_ * height_ * (format.bpp/8); + if (datasize < new_datasize) { +- if (data) { +- delete [] data; +- datasize = 0; data = 0; ++ if (data_) { ++ delete [] data_; ++ data_ = NULL; ++ datasize = 0; + } + if (new_datasize) { +- data = new U8[new_datasize]; +- if (!data) +- throw Exception("rfb::ManagedPixelBuffer unable to allocate buffer"); ++ data_ = new U8[new_datasize]; + datasize = new_datasize; + } + } +-}; ++ ++ setBuffer(w, h, data_, w); ++} +diff --git a/common/rfb/PixelBuffer.h b/common/rfb/PixelBuffer.h +index d89793f..3e4018f 100644 +--- a/common/rfb/PixelBuffer.h ++++ b/common/rfb/PixelBuffer.h +@@ -90,7 +90,12 @@ namespace rfb { + + protected: + PixelBuffer(); ++ virtual void setSize(int width, int height); ++ ++ protected: + PixelFormat format; ++ ++ private: + int width_, height_; + }; + +@@ -154,7 +159,12 @@ namespace rfb { + + protected: + FullFramePixelBuffer(); ++ virtual void setBuffer(int width, int height, rdr::U8* data, int stride); + ++ private: ++ virtual void setSize(int w, int h); ++ ++ private: + rdr::U8* data; + int stride; + }; +@@ -172,12 +182,9 @@ namespace rfb { + virtual void setPF(const PixelFormat &pf); + virtual void setSize(int w, int h); + +- // Return the total number of bytes of pixel data in the buffer +- int dataLen() const { return width_ * height_ * (format.bpp/8); } +- +- protected: ++ private: ++ rdr::U8* data_; // Mirrors FullFramePixelBuffer::data + unsigned long datasize; +- void checkDataSize(); + }; + + }; +diff --git a/unix/x0vncserver/XPixelBuffer.cxx b/unix/x0vncserver/XPixelBuffer.cxx +index 4769b65..f0b0696 100644 +--- a/unix/x0vncserver/XPixelBuffer.cxx ++++ b/unix/x0vncserver/XPixelBuffer.cxx +@@ -50,13 +50,8 @@ XPixelBuffer::XPixelBuffer(Display *dpy, ImageFactory &factory, + ffs(m_image->xim->blue_mask) - 1); + + // Set up the remaining data of the parent class. +- width_ = rect.width(); +- height_ = rect.height(); +- data = (rdr::U8 *)m_image->xim->data; +- +- // Calculate the distance in pixels between two subsequent scan +- // lines of the framebuffer. This may differ from image width. +- stride = m_image->xim->bytes_per_line * 8 / m_image->xim->bits_per_pixel; ++ setBuffer(rect.width(), rect.height(), (rdr::U8 *)m_image->xim->data, ++ m_image->xim->bytes_per_line * 8 / m_image->xim->bits_per_pixel); + + // Get initial screen image from the X display. + m_image->get(DefaultRootWindow(m_dpy), m_offsetLeft, m_offsetTop); +diff --git a/unix/xserver/hw/vnc/XserverDesktop.cc b/unix/xserver/hw/vnc/XserverDesktop.cc +index 4aac765..78df899 100644 +--- a/unix/xserver/hw/vnc/XserverDesktop.cc ++++ b/unix/xserver/hw/vnc/XserverDesktop.cc +@@ -115,7 +115,7 @@ XserverDesktop::XserverDesktop(int screenIndex_, + : screenIndex(screenIndex_), + server(0), httpServer(0), + listeners(listeners_), httpListeners(httpListeners_), +- directFbptr(true), ++ shadowFramebuffer(NULL), + queryConnectId(0), queryConnectTimer(this) + { + format = pf; +@@ -152,8 +152,8 @@ XserverDesktop::~XserverDesktop() + delete httpListeners.back(); + httpListeners.pop_back(); + } +- if (!directFbptr) +- delete [] data; ++ if (shadowFramebuffer) ++ delete [] shadowFramebuffer; + delete httpServer; + delete server; + } +@@ -172,22 +172,18 @@ void XserverDesktop::setFramebuffer(int w, int h, void* fbptr, int stride_) + { + ScreenSet layout; + +- width_ = w; +- height_ = h; +- +- if (!directFbptr) { +- delete [] data; +- directFbptr = true; ++ if (shadowFramebuffer) { ++ delete [] shadowFramebuffer; ++ shadowFramebuffer = NULL; + } + + if (!fbptr) { +- fbptr = new rdr::U8[w * h * (format.bpp/8)]; ++ shadowFramebuffer = new rdr::U8[w * h * (format.bpp/8)]; ++ fbptr = shadowFramebuffer; + stride_ = w; +- directFbptr = false; + } + +- data = (rdr::U8*)fbptr; +- stride = stride_; ++ setBuffer(w, h, (rdr::U8*)fbptr, stride_); + + vncSetGlueContext(screenIndex); + layout = ::computeScreenLayout(&outputIdMap); +@@ -569,7 +565,7 @@ unsigned int XserverDesktop::setScreenLayout(int fb_width, int fb_height, + + void XserverDesktop::grabRegion(const rfb::Region& region) + { +- if (directFbptr) ++ if (shadowFramebuffer == NULL) + return; + + std::vector rects; +diff --git a/unix/xserver/hw/vnc/XserverDesktop.h b/unix/xserver/hw/vnc/XserverDesktop.h +index f866a4c..dc4fe60 100644 +--- a/unix/xserver/hw/vnc/XserverDesktop.h ++++ b/unix/xserver/hw/vnc/XserverDesktop.h +@@ -124,7 +124,7 @@ private: + rfb::HTTPServer* httpServer; + std::list listeners; + std::list httpListeners; +- bool directFbptr; ++ rdr::U8* shadowFramebuffer; + + uint32_t queryConnectId; + network::Socket* queryConnectSocket; +diff --git a/vncviewer/PlatformPixelBuffer.cxx b/vncviewer/PlatformPixelBuffer.cxx +index a2b506d..a218901 100644 +--- a/vncviewer/PlatformPixelBuffer.cxx ++++ b/vncviewer/PlatformPixelBuffer.cxx +@@ -36,7 +36,7 @@ static rfb::LogWriter vlog("PlatformPixelBuffer"); + PlatformPixelBuffer::PlatformPixelBuffer(int width, int height) : + FullFramePixelBuffer(rfb::PixelFormat(32, 24, false, true, + 255, 255, 255, 16, 8, 0), +- width, height, 0, stride), ++ 0, 0, NULL, 0), + Surface(width, height) + #if !defined(WIN32) && !defined(__APPLE__) + , shminfo(NULL), xim(NULL) +@@ -56,11 +56,10 @@ PlatformPixelBuffer::PlatformPixelBuffer(int width, int height) : + vlog.debug("Using standard XImage"); + } + +- data = (rdr::U8*)xim->data; +- stride = xim->bytes_per_line / (getPF().bpp/8); ++ setBuffer(width, height, (rdr::U8*)xim->data, ++ xim->bytes_per_line / (getPF().bpp/8)); + #else +- FullFramePixelBuffer::data = (rdr::U8*)Surface::data; +- stride = width; ++ setBuffer(width, height, (rdr::U8*)Surface::data, width); + #endif + } + +diff --git a/win/rfb_win32/DIBSectionBuffer.cxx b/win/rfb_win32/DIBSectionBuffer.cxx +index e2b0d64..e00cf23 100644 +--- a/win/rfb_win32/DIBSectionBuffer.cxx ++++ b/win/rfb_win32/DIBSectionBuffer.cxx +@@ -52,39 +52,28 @@ void DIBSectionBuffer::setPF(const PixelFormat& pf) { + if (!pf.trueColour) + throw rfb::Exception("palette format not supported"); + format = pf; +- recreateBuffer(); ++ setSize(width(), height()); + } + +-void DIBSectionBuffer::setSize(int w, int h) { +- if (width_ == w && height_ == h) { +- vlog.debug("size unchanged by setSize()"); +- return; +- } +- width_ = w; +- height_ = h; +- recreateBuffer(); +-} +- +- + inline void initMaxAndShift(DWORD mask, int* max, int* shift) { + for ((*shift) = 0; (mask & 1) == 0; (*shift)++) mask >>= 1; + (*max) = (rdr::U16)mask; + } + +-void DIBSectionBuffer::recreateBuffer() { ++void DIBSectionBuffer::setSize(int w, int h) { + HBITMAP new_bitmap = 0; + rdr::U8* new_data = 0; + +- if (width_ && height_ && (format.depth != 0)) { ++ if (w && h && (format.depth != 0)) { + BitmapInfo bi; + memset(&bi, 0, sizeof(bi)); + UINT iUsage = DIB_RGB_COLORS; + bi.bmiHeader.biSize = sizeof(BITMAPINFOHEADER); + bi.bmiHeader.biBitCount = format.bpp; +- bi.bmiHeader.biSizeImage = (format.bpp / 8) * width_ * height_; ++ bi.bmiHeader.biSizeImage = (format.bpp / 8) * w * h; + bi.bmiHeader.biPlanes = 1; +- bi.bmiHeader.biWidth = width_; +- bi.bmiHeader.biHeight = -height_; ++ bi.bmiHeader.biWidth = w; ++ bi.bmiHeader.biHeight = -h; + bi.bmiHeader.biCompression = (format.bpp > 8) ? BI_BITFIELDS : BI_RGB; + bi.mask.red = format.pixelFromRGB((rdr::U16)~0, 0, 0); + bi.mask.green = format.pixelFromRGB(0, (rdr::U16)~0, 0); +@@ -115,12 +104,12 @@ void DIBSectionBuffer::recreateBuffer() { + if (device) { + BitmapDC src_dev(device, bitmap); + BitmapDC dest_dev(device, new_bitmap); +- BitBlt(dest_dev, 0, 0, width_, height_, src_dev, 0, 0, SRCCOPY); ++ BitBlt(dest_dev, 0, 0, w, h, src_dev, 0, 0, SRCCOPY); + } else { + WindowDC wndDC(window); + BitmapDC src_dev(wndDC, bitmap); + BitmapDC dest_dev(wndDC, new_bitmap); +- BitBlt(dest_dev, 0, 0, width_, height_, src_dev, 0, 0, SRCCOPY); ++ BitBlt(dest_dev, 0, 0, w, h, src_dev, 0, 0, SRCCOPY); + } + } + +@@ -128,17 +117,17 @@ void DIBSectionBuffer::recreateBuffer() { + // Delete the old bitmap + DeleteObject(bitmap); + bitmap = 0; +- data = 0; ++ setBuffer(0, 0, NULL, 0); + } + + if (new_bitmap) { + int bpp, depth; + int redMax, greenMax, blueMax; + int redShift, greenShift, blueShift; ++ int new_stride; + + // Set up the new bitmap + bitmap = new_bitmap; +- data = new_data; + + // Determine the *actual* DIBSection format + DIBSECTION ds; +@@ -147,14 +136,16 @@ void DIBSectionBuffer::recreateBuffer() { + + // Correct the "stride" of the DIB + // *** This code DWORD aligns each row - is that right??? +- stride = width_; +- int bytesPerRow = stride * format.bpp/8; ++ new_stride = w; ++ int bytesPerRow = new_stride * format.bpp/8; + if (bytesPerRow % 4) { + bytesPerRow += 4 - (bytesPerRow % 4); +- stride = (bytesPerRow * 8) / format.bpp; +- vlog.info("adjusting DIB stride: %d to %d", width_, stride); ++ new_stride = (bytesPerRow * 8) / format.bpp; ++ vlog.info("adjusting DIB stride: %d to %d", w, new_stride); + } + ++ setBuffer(w, h, new_data, new_stride); ++ + // Calculate the PixelFormat for the DIB + bpp = depth = ds.dsBm.bmBitsPixel; + diff --git a/SOURCES/tigervnc-pixelformat-sanity-checks.patch b/SOURCES/tigervnc-pixelformat-sanity-checks.patch new file mode 100644 index 0000000..9801a5c --- /dev/null +++ b/SOURCES/tigervnc-pixelformat-sanity-checks.patch @@ -0,0 +1,32 @@ +diff --git a/common/rfb/PixelFormat.cxx b/common/rfb/PixelFormat.cxx +index 76051dc..a9d015d 100644 +--- a/common/rfb/PixelFormat.cxx ++++ b/common/rfb/PixelFormat.cxx +@@ -75,7 +75,8 @@ PixelFormat::PixelFormat(int b, int d, bool e, bool t, + redMax(rm), greenMax(gm), blueMax(bm), + redShift(rs), greenShift(gs), blueShift(bs) + { +- assert(isSane()); ++ if (!isSane()) ++ throw Exception("invalid pixel format"); + + updateState(); + } +@@ -672,8 +673,16 @@ bool PixelFormat::isSane(void) + return false; + + totalBits = bits(redMax) + bits(greenMax) + bits(blueMax); +- if (totalBits > bpp) ++ if (totalBits > depth) ++ return false; ++ ++ if ((bits(redMax) + redShift) > bpp) ++ return false; ++ if ((bits(greenMax) + greenShift) > bpp) + return false; ++ if ((bits(blueMax) + blueShift) > bpp) ++ return false; ++ + + if (((redMax << redShift) & (greenMax << greenShift)) != 0) + return false; diff --git a/SPECS/tigervnc.spec b/SPECS/tigervnc.spec index 7660a2c..2d291c1 100644 --- a/SPECS/tigervnc.spec +++ b/SPECS/tigervnc.spec @@ -1,6 +1,6 @@ Name: tigervnc Version: 1.9.0 -Release: 12%{?dist} +Release: 14%{?dist} Summary: A TigerVNC remote display system %global _hardened_build 1 @@ -32,6 +32,17 @@ Patch13: tigervnc-vncserver-do-not-return-returncode-indicating-error.pat Patch50: tigervnc-covscan.patch +# Security fixes +Patch200: tigervnc-CVE-2019-15691.patch +Patch201: tigervnc-encapsulate-pixelbuffer-internal-details.patch +Patch202: tigervnc-CVE-2019-15692.patch +Patch203: tigervnc-add-write-protection-to-offsetpixelbuffer.patch +Patch204: tigervnc-CVE-2019-15693.patch +Patch205: tigervnc-pixelformat-sanity-checks.patch +Patch206: tigervnc-CVE-2019-15694.patch +Patch207: tigervnc-be-defensive-about-overflows-in-stream-objects.patch +Patch208: tigervnc-CVE-2019-15695.patch + # This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg Patch100: tigervnc-xserver120.patch # 1326867 - [RHEL7.3] GLX applications in an Xvnc session fails to start @@ -192,6 +203,17 @@ popd %patch50 -p1 -b .tigervnc-covscan +# Security fixes +%patch200 -p1 -b .CVE-2019-15691 +%patch201 -p1 -b .encapsulate-pixelbuffer-internal-details +%patch202 -p1 -b .CVE-2019-15692 +%patch203 -p1 -b .add-write-protection-to-offsetpixelbuffer +%patch204 -p1 -b .CVE-2019-15693 +%patch205 -p1 -b .pixelformat-sanity-checks +%patch206 -p1 -b .CVE-2019-15694 +%patch207 -p1 -b .be-defensive-about-overflows-in-stream-objects +%patch208 -p1 -b .CVE-2019-15695 + %build %ifarch sparcv9 sparc64 s390 s390x export CFLAGS="$RPM_OPT_FLAGS -fPIC" @@ -346,6 +368,30 @@ install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/10-libvnc.c %{_datadir}/icons/hicolor/*/apps/* %changelog +* Thu Apr 09 2020 Jan Grulich - 1.9.0-14 +- Bump build version + Resolves: bz#1819877 + Resolves: bz#1819879 + Resolves: bz#1819882 + Resolves: bz#1819886 + Resolves: bz#1819884 + +* Wed Apr 08 2020 Jan Grulich - 1.9.0-13 +- Fix stack buffer overflow in CMsgReader::readSetCursor + Resolves: bz#1819877 + +- Fix heap buffer overflow in DecodeManager::decodeRect + Resolves: bz#1819879 + +- Fix heap buffer overflow in TightDecoder::FilterGradient + Resolves: bz#1819882 + +- Fix heap-based buffer overflow triggered from CopyRectDecoder + Resolves: bz#1819886 + +- Fix stack use-after-return due to incorrect usage of stack memory in ZRLEDecoder + Resolves: bz#1819884 + * Tue Jan 28 2020 Jan Grulich - 1.9.0-12 - Fix installation of 10-libvnc.conf file Resolves: bz#1795168