aboutsummaryrefslogtreecommitdiffstats
path: root/common/rdr/FdInStream.cxx
diff options
context:
space:
mode:
authorPierre Ossman <ossman@cendio.se>2019-09-24 09:41:07 +0200
committerPierre Ossman <ossman@cendio.se>2019-11-15 12:15:47 +0100
commit75e6e0653a48baf474fd45d78b1da53e2f324642 (patch)
tree8159e0ad7abb2e69604c6ad3cbc00ebceb867c3d /common/rdr/FdInStream.cxx
parent0943c006c7d900dfc0281639e992791d6c567438 (diff)
downloadtigervnc-75e6e0653a48baf474fd45d78b1da53e2f324642.tar.gz
tigervnc-75e6e0653a48baf474fd45d78b1da53e2f324642.zip
Be defensive about overflows in stream objects
We use a lot of lengths given to us over the network, so be more paranoid about them causing an overflow as otherwise an attacker might trick us in to overwriting other memory. This primarily affects the client which often gets lengths from the server, but there are also some scenarios where the server might theoretically be vulnerable. Issue found by Pavel Cheremushkin from Kaspersky Lab.
Diffstat (limited to 'common/rdr/FdInStream.cxx')
-rw-r--r--common/rdr/FdInStream.cxx8
1 files changed, 5 insertions, 3 deletions
diff --git a/common/rdr/FdInStream.cxx b/common/rdr/FdInStream.cxx
index 9e84ab7a..1730d6d1 100644
--- a/common/rdr/FdInStream.cxx
+++ b/common/rdr/FdInStream.cxx
@@ -136,7 +136,7 @@ size_t FdInStream::overrun(size_t itemSize, size_t nItems, bool wait)
ptr = start;
size_t bytes_to_read;
- while (end < start + itemSize) {
+ while ((size_t)(end - start) < itemSize) {
bytes_to_read = start + bufSize - end;
if (!timing) {
// When not timing, we must be careful not to read too much
@@ -152,8 +152,10 @@ size_t FdInStream::overrun(size_t itemSize, size_t nItems, bool wait)
end += n;
}
- if (itemSize * nItems > (size_t)(end - ptr))
- nItems = (end - ptr) / itemSize;
+ size_t nAvail;
+ nAvail = (end - ptr) / itemSize;
+ if (nAvail < nItems)
+ return nAvail;
return nItems;
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-20 20:29:38 +0000