Pierre Ossman [Fri, 3 Jan 2020 12:10:20 +0000 (13:10 +0100)]
Clean up initialization of DIBSectionBuffer
We had an unintentional conflict with PixelBuffer::setSize() here.
But we can simplify this further as this initialization is only used
by the subclass DeviceFrameBuffer, and only once.
Pierre Ossman [Mon, 30 Dec 2019 09:50:52 +0000 (10:50 +0100)]
Provide correct dimensions for XShm setup
Since 53f913a we initialize the underlying PixelBuffer with 0x0
dimensions, which means we need to keep more explicit track of what
we are trying to allocate in the setup methods.
Samuel Mannehed [Fri, 20 Dec 2019 15:06:48 +0000 (16:06 +0100)]
Use the correct minimum value for compression lvl
There was even some confusion in the RFB protocol regarding this, but
the zlib implementation confirms that accepted values for compression
level is 0-9.
Pierre Ossman [Mon, 9 Dec 2019 15:58:07 +0000 (16:58 +0100)]
Check the correct stream if there is more data pending
The input stream might no longer be the raw socket, so we need to
query what's currently active. That wrapping stream might have its
own buffering and may have more data even if the socket is drained.
Pierre Ossman [Mon, 9 Dec 2019 15:57:04 +0000 (16:57 +0100)]
Handle pending data in TLS buffers
There might be more bytes left in the current TLS record, even if
there is nothing on the underlying stream. Make sure we properly
return this when we aren't being requested to block.
Pierre Ossman [Mon, 9 Dec 2019 12:54:17 +0000 (13:54 +0100)]
Don't background the main session command
When used with -fg we expect the startup script to remain running until
the session is over. This will not happen if the session command is put
in the background using &.
Pierre Ossman [Wed, 2 Oct 2019 14:06:08 +0000 (16:06 +0200)]
Handle pixel formats with odd shift values
Our fast paths assume that each channel fits in to a separate byte.
That means the shift needs to be a multiple of 8. Start actually
checking this so that a client cannot trip us up and possibly cause
incorrect code exection.
Issue found by Pavel Cheremushkin from Kaspersky Lab.
Pierre Ossman [Tue, 24 Sep 2019 07:41:07 +0000 (09:41 +0200)]
Be defensive about overflows in stream objects
We use a lot of lengths given to us over the network, so be more
paranoid about them causing an overflow as otherwise an attacker
might trick us in to overwriting other memory.
This primarily affects the client which often gets lengths from the
server, but there are also some scenarios where the server might
theoretically be vulnerable.
Issue found by Pavel Cheremushkin from Kaspersky Lab.
Pierre Ossman [Tue, 10 Sep 2019 14:07:50 +0000 (16:07 +0200)]
Add sanity checks for PixelFormat shift values
Otherwise we might be tricked in to reading and writing things at
incorrect offsets for pixels which ultimately could result in an
attacker writing things to the stack or heap and executing things
they shouldn't.
This only affects the server as the client never uses the pixel
format suggested by th server.
Issue found by Pavel Cheremushkin from Kaspersky Lab.
Pierre Ossman [Tue, 10 Sep 2019 13:21:03 +0000 (15:21 +0200)]
Restrict PixelBuffer dimensions to safe values
We do a lot of calculations based on pixel coordinates and we need
to make sure they do not overflow. Restrict the maximum dimensions
we support rather than try to switch over all calculations to use
64 bit integers.
This prevents attackers from from injecting code by specifying a
huge framebuffer size and relying on the values overflowing to
access invalid areas of the heap.
This primarily affects the client which gets both the screen
dimensions and the pixel contents from the remote side. But the
server might also be affected as a client can adjust the screen
dimensions, as can applications inside the session.
Issue found by Pavel Cheremushkin from Kaspersky Lab.
Pierre Ossman [Tue, 10 Sep 2019 13:18:30 +0000 (15:18 +0200)]
Encapsulate PixelBuffer internal details
Don't allow subclasses to just override dimensions or buffer details
directly and instead force them to go via methods. This allows us
to do sanity checks on the new values and catch bugs and attacks.
Pierre Ossman [Tue, 10 Sep 2019 09:05:48 +0000 (11:05 +0200)]
Make ZlibInStream more robust against failures
Move the checks around to avoid missing cases where we might access
memory that is no longer valid. Also avoid touching the underlying
stream implicitly (e.g. via the destructor) as it might also no
longer be valid.
A malicious server could theoretically use this for remote code
execution in the client.
Issue found by Pavel Cheremushkin from Kaspersky Lab
Pierre Ossman [Mon, 9 Sep 2019 14:47:36 +0000 (16:47 +0200)]
Fix length checks in string conversion functions
We need to check the buffer length before accessing the incoming
string. Probably not a problem in practice as there should be a
final null in most incoming strings.
Issue found by Pavel Cheremushkin from Kaspersky Lab.
Pierre Ossman [Fri, 5 Feb 2016 09:26:56 +0000 (10:26 +0100)]
Support extended clipboard transfers
Implements support in both client and server for the extended
clipboard format first seen in UltraVNC. Currently only implements
text handling, but that is still an improvement as it extends the
clipboard from ISO 8859-1 to full Unicode.
Pierre Ossman [Thu, 2 May 2019 10:32:03 +0000 (12:32 +0200)]
Clean up internal clipboard handling
We now filter incoming data, which means we can start assuming the
clipboard data is always null terminated. This allows us to clean
up a lot of the internal handling.
Pierre Ossman [Thu, 2 May 2019 10:32:03 +0000 (12:32 +0200)]
Make sure clipboard uses \n line endings
This is required by the protocol so we should make sure it is
enforced. We are tolerant of clients that violate this though and
convert incoming clipboard data.
Result of overflow on signed integer arithmetic is undefined in C/C++ standard.
So in previous version clang was compiling the statement as (int)a > (int)b (i.e. assuming no overflow), which leads to incorrect result.
Correct deterministic behavior means doing overflow arithmetic as unsigned, i.e.
a != b && a - b <= UINT_MAX / 2
Pierre Ossman [Thu, 4 Apr 2019 08:31:59 +0000 (10:31 +0200)]
Always get raw keyboard layout on macOS
Some input sources are still using input methods even though they
claim to be "ASCII" input. This causes our input handling to fail
since we need to query the layout to handle dead keys.
Fortunately there is another API to get the raw, underlying input
source that the input method uses. So let's use that and be sure
that we're always getting something we can use.
Pierre Ossman [Mon, 1 Apr 2019 12:55:40 +0000 (14:55 +0200)]
Increase version string buffer size for gcc
There is some bug in gcc's new -Werror=format-overflow that makes it
think majorVersion could end up being very large. Increase the target
buffer for now to keep gcc happy.