Be defensive about overflows in stream objects

We use a lot of lengths given to us over the network, so be more paranoid about them causing an overflow as otherwise an attacker might trick us in to overwriting other memory. This primarily affects the client which often gets lengths from the server, but there are also some scenarios where the server might theoretically be vulnerable. Issue found by Pavel Cheremushkin from Kaspersky Lab.
author: Pierre Ossman <ossman@cendio.se> 2019-09-24 09:41:07 +0200
committer: Pierre Ossman <ossman@cendio.se> 2019-11-15 12:15:47 +0100
commit: 75e6e0653a48baf474fd45d78b1da53e2f324642 (patch)
tree: 8159e0ad7abb2e69604c6ad3cbc00ebceb867c3d /common/rdr/ZlibInStream.cxx
parent: 0943c006c7d900dfc0281639e992791d6c567438 (diff)
download: tigervnc-75e6e0653a48baf474fd45d78b1da53e2f324642.tar.gz
tigervnc-75e6e0653a48baf474fd45d78b1da53e2f324642.zip
1 files changed, 4 insertions, 2 deletions
diff --git a/common/rdr/ZlibInStream.cxx b/common/rdr/ZlibInStream.cxx
index e2f971c7..9fcfaf6b 100644
--- a/common/rdr/ZlibInStream.cxx
+++ b/common/rdr/ZlibInStream.cxx
@@ -113,8 +113,10 @@ size_t ZlibInStream::overrun(size_t itemSize, size_t nItems, bool wait)
       return 0;
   }
 
-  if (itemSize * nItems > (size_t)(end - ptr))
-    nItems = (end - ptr) / itemSize;
+  size_t nAvail;
+  nAvail = (end - ptr) / itemSize;
+  if (nAvail < nItems)
+    return nAvail;
 
   return nItems;
 }
author	Pierre Ossman <ossman@cendio.se>	2019-09-24 09:41:07 +0200
committer	Pierre Ossman <ossman@cendio.se>	2019-11-15 12:15:47 +0100
commit	75e6e0653a48baf474fd45d78b1da53e2f324642 (patch)
tree	8159e0ad7abb2e69604c6ad3cbc00ebceb867c3d /common/rdr/ZlibInStream.cxx
parent	0943c006c7d900dfc0281639e992791d6c567438 (diff)
download	tigervnc-75e6e0653a48baf474fd45d78b1da53e2f324642.tar.gz tigervnc-75e6e0653a48baf474fd45d78b1da53e2f324642.zip