Browse Source
Add sanity checks for PixelFormat shift values
Otherwise we might be tricked in to reading and writing things at
incorrect offsets for pixels which ultimately could result in an
attacker writing things to the stack or heap and executing things
they shouldn't.
This only affects the server as the client never uses the pixel
format suggested by th server.
Issue found by Pavel Cheremushkin from Kaspersky Lab.
(cherry picked from commit cd1d650c53)
tags/v1.10.1
Pierre Ossman
4 years ago
2 changed files with 13 additions and 0 deletions
+ 7
- 0
common/rfb/PixelFormat.cxx
View File
| @@ -682,6 +682,13 @@ bool PixelFormat::isSane(void) | |||
| if (totalBits > depth) | |||
| return false; | |||
| if ((bits(redMax) + redShift) > bpp) | |||
| return false; | |||
| if ((bits(greenMax) + greenShift) > bpp) | |||
| return false; | |||
| if ((bits(blueMax) + blueShift) > bpp) | |||
| return false; | |||
| if (((redMax << redShift) & (greenMax << greenShift)) != 0) | |||
| return false; | |||
| if (((redMax << redShift) & (blueMax << blueShift)) != 0) | |||
+ 6
- 0
tests/unit/pixelformat.cxx
View File
| @@ -108,6 +108,12 @@ int main(int argc, char** argv) | |||
| doTest(true, 32, 16, false, true, 255, 255, 255, 0, 8, 16); | |||
| /* Invalid shift values */ | |||
| doTest(true, 32, 24, false, true, 255, 255, 255, 25, 8, 16); | |||
| doTest(true, 32, 24, false, true, 255, 255, 255, 0, 25, 16); | |||
| doTest(true, 32, 24, false, true, 255, 255, 255, 0, 8, 25); | |||
| /* Overlapping channels */ | |||
| doTest(true, 32, 24, false, true, 255, 255, 255, 0, 7, 16); | |||
Loading…