diff options
| author | Pierre Ossman <ossman@cendio.se> | 2019-09-10 15:36:42 +0200 |
|---|---|---|
| committer | Pierre Ossman <ossman@cendio.se> | 2019-12-20 07:29:00 +0100 |
| commit | 46c081926efd83c90a45c0a96b1b5bc1927e1346 (patch) | |
| tree | 25493326fd7e5e6051a6568cc3bd66fec3424b9e | |
| parent | 2473c72ddc5723bcbbcb172bb5a64cddcdf68935 (diff) | |
| download | tigervnc-46c081926efd83c90a45c0a96b1b5bc1927e1346.tar.gz tigervnc-46c081926efd83c90a45c0a96b1b5bc1927e1346.zip | |
Handle empty Tight gradient rects
We always assumed there would be one pixel per row so a rect with
a zero width would result in us writing to unknown memory.
This could theoretically be used by a malicious server to inject
code in to the viewer process.
Issue found by Pavel Cheremushkin from Kaspersky Lab.
(cherry picked from commit b4ada8d0c6dac98c8b91fc64d112569a8ae5fb95)
| -rw-r--r-- | common/rfb/tightDecode.h | 37 |
1 files changed, 21 insertions, 16 deletions
diff --git a/common/rfb/tightDecode.h b/common/rfb/tightDecode.h index b6e86ed5..8f77aebd 100644 --- a/common/rfb/tightDecode.h +++ b/common/rfb/tightDecode.h @@ -56,15 +56,17 @@ TightDecoder::FilterGradient24(const rdr::U8 *inbuf, int rectWidth = r.width(); for (y = 0; y < rectHeight; y++) { - /* First pixel in a row */ - for (c = 0; c < 3; c++) { - pix[c] = inbuf[y*rectWidth*3+c] + prevRow[c]; - thisRow[c] = pix[c]; - } - pf.bufferFromRGB((rdr::U8*)&outbuf[y*stride], pix, 1); + for (x = 0; x < rectWidth; x++) { + /* First pixel in a row */ + if (x == 0) { + for (c = 0; c < 3; c++) { + pix[c] = inbuf[y*rectWidth*3+c] + prevRow[c]; + thisRow[c] = pix[c]; + } + pf.bufferFromRGB((rdr::U8*)&outbuf[y*stride], pix, 1); + continue; + } - /* Remaining pixels of a row */ - for (x = 1; x < rectWidth; x++) { for (c = 0; c < 3; c++) { est[c] = prevRow[x*3+c] + pix[c] - prevRow[(x-1)*3+c]; if (est[c] > 0xff) { @@ -103,17 +105,20 @@ void TightDecoder::FilterGradient(const rdr::U8* inbuf, int rectWidth = r.width(); for (y = 0; y < rectHeight; y++) { - /* First pixel in a row */ - pf.rgbFromBuffer(pix, &inbuf[y*rectWidth], 1); - for (c = 0; c < 3; c++) - pix[c] += prevRow[c]; + for (x = 0; x < rectWidth; x++) { + /* First pixel in a row */ + if (x == 0) { + pf.rgbFromBuffer(pix, &inbuf[y*rectWidth], 1); + for (c = 0; c < 3; c++) + pix[c] += prevRow[c]; - memcpy(thisRow, pix, sizeof(pix)); + memcpy(thisRow, pix, sizeof(pix)); - pf.bufferFromRGB((rdr::U8*)&outbuf[y*stride], pix, 1); + pf.bufferFromRGB((rdr::U8*)&outbuf[y*stride], pix, 1); + + continue; + } - /* Remaining pixels of a row */ - for (x = 1; x < rectWidth; x++) { for (c = 0; c < 3; c++) { est[c] = prevRow[x*3+c] + pix[c] - prevRow[(x-1)*3+c]; if (est[c] > 255) { |