From c1244c096dd9d314465a985e06d97450c8c871a2 Mon Sep 17 00:00:00 2001
From: Pierre Ossman <ossman@cendio.se>
Date: Wed, 19 Mar 2014 12:16:48 +0000
Subject: [PATCH] The ZRLE decoder relied on an assert() for boundary checks. A
 default Release build however will remove all asserts making it possible to
 overrun this buffer. This could be exploited by a malicious server. This
 issue has been assigned CVE-2014-0011. Patch by Tim Waugh for Red Hat.

git-svn-id: svn://svn.code.sf.net/p/tigervnc/code/trunk@5167 3789f03b-4d11-0410-bbf8-ca57d06f2519
---
 common/rfb/zrleDecode.h | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/common/rfb/zrleDecode.h b/common/rfb/zrleDecode.h
index 15d27900..8f6f7927 100644
--- a/common/rfb/zrleDecode.h
+++ b/common/rfb/zrleDecode.h
@@ -25,9 +25,10 @@
 // FILL_RECT          - fill a rectangle with a single colour
 // IMAGE_RECT         - draw a rectangle of pixel data from a buffer
 
+#include <stdio.h>
 #include <rdr/InStream.h>
 #include <rdr/ZlibInStream.h>
-#include <assert.h>
+#include <rfb/Exception.h>
 
 namespace rfb {
 
@@ -143,7 +144,10 @@ void ZRLE_DECODE (const Rect& r, rdr::InStream* is,
               len += b;
             } while (b == 255);
 
-            assert(len <= end - ptr);
+            if (end - ptr < len) {
+              fprintf (stderr, "ZRLE decode error\n");
+              throw Exception ("ZRLE decode error");
+            }
 
 #ifdef FAVOUR_FILL_RECT
             int i = ptr - buf;
@@ -193,7 +197,10 @@ void ZRLE_DECODE (const Rect& r, rdr::InStream* is,
                 len += b;
               } while (b == 255);
 
-              assert(len <= end - ptr);
+              if (end - ptr < len) {
+                fprintf (stderr, "ZRLE decode error\n");
+                throw Exception ("ZRLE decode error");
+              }
             }
 
             index &= 127;
-- 
2.39.5