We use a lot of lengths given to us over the network, so be more
paranoid about them causing an overflow as otherwise an attacker
might trick us in to overwriting other memory.
This primarily affects the client which often gets lengths from the
server, but there are also some scenarios where the server might
theoretically be vulnerable.
Issue found by Pavel Cheremushkin from Kaspersky Lab.
(cherry picked from commit 75e6e0653a)
Provides safety against them accidentally becoming negative because
of bugs in the calculations.
Also does the same to CharArray and friends as they were strongly
connection to the stream objects.
(cherry picked from commit 0943c006c7)
Move the checks around to avoid missing cases where we might access
memory that is no longer valid. Also avoid touching the underlying
stream implicitly (e.g. via the destructor) as it might also no
longer be valid.
A malicious server could theoretically use this for remote code
execution in the client.
Issue found by Pavel Cheremushkin from Kaspersky Lab
(cherry picked from commit d61a767d68)
fread() returns size_t, which is unsigned. Don't check
for negative values to avoid warnings from Clang.
/home/shade/dev/tigervnc/common/rdr/FileInStream.cxx:74:13: error: comparison of unsigned expression < 0 is always false [-Werror,-Wtautological-compare]
if (n < 0 || ferror(file))
~ ^ ~
Fix warnings emitted by Clang:
/home/shade/dev/tigervnc/common/rdr/FdInStream.h:30:9: error: 'rdr::FdInStreamBlockCallback' has virtual functions but non-virtual destructor [-Werror,-Wnon-virtual-dtor]
class FdInStreamBlockCallback {
^
In file included from /home/shade/dev/tigervnc/common/network/TcpSocket.cxx:44:
In file included from /home/shade/dev/tigervnc/common/network/TcpSocket.h:31:
/home/shade/dev/tigervnc/common/network/Socket.h:82:9: error: 'network::ConnectionFilter' has virtual functions but non-virtual destructor [-Werror,-Wnon-virtual-dtor]
class ConnectionFilter {
^
..etc
This bug was introduced in c6df31db. A non-blocking socket that did
not have any more space would busy loop until the write succeeded.
Instead now it returns without any action, just as it did before
the bug was introduced.
It previously only did a reset of the ZlibInStream object, not the
underlying zlib stream. It also had the side effect of flushing
the underlying stream and disassociating from it.
Clear things up by changing the naming, and introducing a proper
reset function (which is needed by the Tight decoder).
In earlier Visual Studio and MinGW editions, BSD socket errno:s were
left undefined. This is no longer the case. This may cause build or
runtime errors. To avoid this, we are using a common header file which
corrects all definitions. This header will also be used with other
projects such as sercd, unfs3, PulseAudio etc.
This allows us to simplify things by getting rid of some old
compatibility code. People should really be using current versions
of GnuTLS anyway to stay secure.
GnuTLS 3.x has removed gnutls_transport_set_global_errno() in favour of
gnutls_transport_set_errno(). Make sure we call the right errno function
depending on which GnuTLS we're using.
git-svn-id: svn://svn.code.sf.net/p/tigervnc/code/trunk@4922 3789f03b-4d11-0410-bbf8-ca57d06f2519
Refactor the TLS code so that the push/pull functions are aware of their
containing stream object. This is in preparation for supporting GnuTLS 3.x.
git-svn-id: svn://svn.code.sf.net/p/tigervnc/code/trunk@4921 3789f03b-4d11-0410-bbf8-ca57d06f2519
Make socket writes non-blockable. This allows the system to more quickly
return back to the Xorg main loop, meaning that things will be more responsive
in the presence of slow VNC clients.
git-svn-id: svn://svn.code.sf.net/p/tigervnc/code/trunk@4735 3789f03b-4d11-0410-bbf8-ca57d06f2519
Another attempt at solving the compression level change problems. We were still
not detecting the correct approach properly, and hence still getting crashes.
git-svn-id: svn://svn.code.sf.net/p/tigervnc/code/trunk@4731 3789f03b-4d11-0410-bbf8-ca57d06f2519
CMake doesn't handle convenience libraries as nicely as autotools does. We
need to be explicit with -fPIC here as we use these in libvnc.so.
git-svn-id: svn://svn.code.sf.net/p/tigervnc/code/trunk@4645 3789f03b-4d11-0410-bbf8-ca57d06f2519
Ported encoding optimizations from TurboVNC. The changes to the Tight parameters were determined through extensive low-level profiling (see http://www.virtualgl.org/pmwiki/uploads/About/turbototiger.pdf). The other enhancements involved: (1) porting the solid subrectangle pre-computation code from TightVNC/TurboVNC (it makes a pretty big difference-- see report), (2) encapsulating the JPEG encoder in its own class (this eliminates a buffer copy, and the JPEG buffer is now set to a decent size where it shouldn't ever need to be paged or re-allocated, except in rare corner cases), (3) adding support for last rect. encoding (necessary to support the solid rectangle pre-computation enhancements.
Revert r4498 and fix #3305357 properly. The issue was two-fold: (1) the compress buffer allocated by the Tight encoder was not large enough, and (2) Zlib 1.2.5 can sometimes call deflate(..., Z_BLOCK) within the body of deflateParams(), so we need to check avail_in after calling checkCompressionLevel() to ensure that there is still data left to compress before we call deflate() again.
Building the Xvnc server requires libtool control files of rdr, rfb,
network and Xregion, which a cmake build will NOT produce, this macro
tries to create a libtool control file *.la for the specified target
with libdependencies for a static library target.
Due to the automake part of Xvnc references to libtool files in source
tree you need to build vncviewer using cmake in the source tree.
git-svn-id: svn://svn.code.sf.net/p/tigervnc/code/trunk@4482 3789f03b-4d11-0410-bbf8-ca57d06f2519
Pierre Ossman
Peter Åstrand (astrand)
Steve Kondik
DRC
Henrik Andersson