The ZRLE decoder relied on an assert() for boundary checks. A default

Release build however will remove all asserts making it possible to
overrun this buffer. This could be exploited by a malicious server.
This issue has been assigned CVE-2014-0011. Patch by Tim Waugh for
Red Hat.

git-svn-id: svn://svn.code.sf.net/p/tigervnc/code/trunk@5167 3789f03b-4d11-0410-bbf8-ca57d06f2519

diff --git a/common/rfb/zrleDecode.h b/common/rfb/zrleDecode.h
index 15d27900731c936fe7494ac3c3ccd307c6ce9ad2..8f6f7927e895c94afd98d712097f2e8d34a476bd 100644 (file)
--- a/common/rfb/zrleDecode.h
+++ b/common/rfb/zrleDecode.h
@@ -25,9 +25,10 @@
 // FILL_RECT          - fill a rectangle with a single colour
 // IMAGE_RECT         - draw a rectangle of pixel data from a buffer
 
+#include <stdio.h>
 #include <rdr/InStream.h>
 #include <rdr/ZlibInStream.h>
-#include <assert.h>
+#include <rfb/Exception.h>
 
 namespace rfb {
 
@@ -143,7 +144,10 @@ void ZRLE_DECODE (const Rect& r, rdr::InStream* is,
               len += b;
             } while (b == 255);
 
-            assert(len <= end - ptr);
+            if (end - ptr < len) {
+              fprintf (stderr, "ZRLE decode error\n");
+              throw Exception ("ZRLE decode error");
+            }
 
 #ifdef FAVOUR_FILL_RECT
             int i = ptr - buf;
@@ -193,7 +197,10 @@ void ZRLE_DECODE (const Rect& r, rdr::InStream* is,
                 len += b;
               } while (b == 255);
 
-              assert(len <= end - ptr);
+              if (end - ptr < len) {
+                fprintf (stderr, "ZRLE decode error\n");
+                throw Exception ("ZRLE decode error");
+              }
             }
 
             index &= 127;