diff options
| author | Pierre Ossman <ossman@cendio.se> | 2014-03-19 12:16:48 +0000 |
|---|---|---|
| committer | Pierre Ossman <ossman@cendio.se> | 2014-03-19 12:16:48 +0000 |
| commit | c1244c096dd9d314465a985e06d97450c8c871a2 (patch) | |
| tree | 12dfc8e5b0013c09be0a5696fa5d9e1d66186de1 /common/rfb | |
| parent | 7ea9b2c602893ac1b7e843bcf2f64e1677f98d1d (diff) | |
| download | tigervnc-c1244c096dd9d314465a985e06d97450c8c871a2.tar.gz tigervnc-c1244c096dd9d314465a985e06d97450c8c871a2.zip | |
The ZRLE decoder relied on an assert() for boundary checks. A default
Release build however will remove all asserts making it possible to
overrun this buffer. This could be exploited by a malicious server.
This issue has been assigned CVE-2014-0011. Patch by Tim Waugh for
Red Hat.
git-svn-id: svn://svn.code.sf.net/p/tigervnc/code/trunk@5167 3789f03b-4d11-0410-bbf8-ca57d06f2519
Diffstat (limited to 'common/rfb')
| -rw-r--r-- | common/rfb/zrleDecode.h | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/common/rfb/zrleDecode.h b/common/rfb/zrleDecode.h index 15d27900..8f6f7927 100644 --- a/common/rfb/zrleDecode.h +++ b/common/rfb/zrleDecode.h @@ -25,9 +25,10 @@ // FILL_RECT - fill a rectangle with a single colour // IMAGE_RECT - draw a rectangle of pixel data from a buffer +#include <stdio.h> #include <rdr/InStream.h> #include <rdr/ZlibInStream.h> -#include <assert.h> +#include <rfb/Exception.h> namespace rfb { @@ -143,7 +144,10 @@ void ZRLE_DECODE (const Rect& r, rdr::InStream* is, len += b; } while (b == 255); - assert(len <= end - ptr); + if (end - ptr < len) { + fprintf (stderr, "ZRLE decode error\n"); + throw Exception ("ZRLE decode error"); + } #ifdef FAVOUR_FILL_RECT int i = ptr - buf; @@ -193,7 +197,10 @@ void ZRLE_DECODE (const Rect& r, rdr::InStream* is, len += b; } while (b == 255); - assert(len <= end - ptr); + if (end - ptr < len) { + fprintf (stderr, "ZRLE decode error\n"); + throw Exception ("ZRLE decode error"); + } } index &= 127; |