Handle empty Tight gradient rects

We always assumed there would be one pixel per row so a rect with
a zero width would result in us writing to unknown memory.

This could theoretically be used by a malicious server to inject
code in to the viewer process.

Issue found by Pavel Cheremushkin from Kaspersky Lab.

(cherry picked from commit b4ada8d0c6dac98c8b91fc64d112569a8ae5fb95)

diff --git a/common/rfb/tightDecode.h b/common/rfb/tightDecode.h
index b6e86ed5ea0bf3b3ea92e8f807d29ba8b21a920f..8f77aebd0a334bf45a60e8473ed896097be22bb4 100644 (file)
--- a/common/rfb/tightDecode.h
+++ b/common/rfb/tightDecode.h
@@ -56,15 +56,17 @@ TightDecoder::FilterGradient24(const rdr::U8 *inbuf,
   int rectWidth = r.width();
 
   for (y = 0; y < rectHeight; y++) {
-    /* First pixel in a row */
-    for (c = 0; c < 3; c++) {
-      pix[c] = inbuf[y*rectWidth*3+c] + prevRow[c];
-      thisRow[c] = pix[c];
-    }
-    pf.bufferFromRGB((rdr::U8*)&outbuf[y*stride], pix, 1);
+    for (x = 0; x < rectWidth; x++) {
+      /* First pixel in a row */
+      if (x == 0) {
+        for (c = 0; c < 3; c++) {
+          pix[c] = inbuf[y*rectWidth*3+c] + prevRow[c];
+          thisRow[c] = pix[c];
+        }
+        pf.bufferFromRGB((rdr::U8*)&outbuf[y*stride], pix, 1);
+        continue;
+      }
 
-    /* Remaining pixels of a row */
-    for (x = 1; x < rectWidth; x++) {
       for (c = 0; c < 3; c++) {
         est[c] = prevRow[x*3+c] + pix[c] - prevRow[(x-1)*3+c];
         if (est[c] > 0xff) {
@@ -103,17 +105,20 @@ void TightDecoder::FilterGradient(const rdr::U8* inbuf,
   int rectWidth = r.width();
 
   for (y = 0; y < rectHeight; y++) {
-    /* First pixel in a row */
-    pf.rgbFromBuffer(pix, &inbuf[y*rectWidth], 1);
-    for (c = 0; c < 3; c++)
-      pix[c] += prevRow[c];
+    for (x = 0; x < rectWidth; x++) {
+      /* First pixel in a row */
+      if (x == 0) {
+        pf.rgbFromBuffer(pix, &inbuf[y*rectWidth], 1);
+        for (c = 0; c < 3; c++)
+          pix[c] += prevRow[c];
 
-    memcpy(thisRow, pix, sizeof(pix));
+        memcpy(thisRow, pix, sizeof(pix));
 
-    pf.bufferFromRGB((rdr::U8*)&outbuf[y*stride], pix, 1);
+        pf.bufferFromRGB((rdr::U8*)&outbuf[y*stride], pix, 1);
+
+        continue;
+      }
 
-    /* Remaining pixels of a row */
-    for (x = 1; x < rectWidth; x++) {
       for (c = 0; c < 3; c++) {
         est[c] = prevRow[x*3+c] + pix[c] - prevRow[(x-1)*3+c];
         if (est[c] > 255) {