aboutsummaryrefslogtreecommitdiffstats
path: root/common/rfb
diff options
context:
space:
mode:
authorPierre Ossman <ossman@cendio.se>2019-09-10 11:05:48 +0200
committerPierre Ossman <ossman@cendio.se>2019-11-15 10:53:26 +0100
commitd61a767d6842b530ffb532ddd5a3d233119aad40 (patch)
treed2facc2d59760bdee45f66e4a07f30a8774efce7 /common/rfb
parentbbbb67ee32b4ce909157ffc5af13a449059d4cdf (diff)
downloadtigervnc-d61a767d6842b530ffb532ddd5a3d233119aad40.tar.gz
tigervnc-d61a767d6842b530ffb532ddd5a3d233119aad40.zip
Make ZlibInStream more robust against failures
Move the checks around to avoid missing cases where we might access memory that is no longer valid. Also avoid touching the underlying stream implicitly (e.g. via the destructor) as it might also no longer be valid. A malicious server could theoretically use this for remote code execution in the client. Issue found by Pavel Cheremushkin from Kaspersky Lab
Diffstat (limited to 'common/rfb')
-rw-r--r--common/rfb/CMsgReader.cxx3
-rw-r--r--common/rfb/SMsgReader.cxx3
-rw-r--r--common/rfb/TightDecoder.cxx3
-rw-r--r--common/rfb/zrleDecode.h3
4 files changed, 8 insertions, 4 deletions
diff --git a/common/rfb/CMsgReader.cxx b/common/rfb/CMsgReader.cxx
index a9e12d70..52d40ce7 100644
--- a/common/rfb/CMsgReader.cxx
+++ b/common/rfb/CMsgReader.cxx
@@ -242,7 +242,8 @@ void CMsgReader::readExtendedClipboard(rdr::S32 len)
num++;
}
- zis.removeUnderlying();
+ zis.flushUnderlying();
+ zis.setUnderlying(NULL, 0);
handler->handleClipboardProvide(flags, lengths, buffers);
diff --git a/common/rfb/SMsgReader.cxx b/common/rfb/SMsgReader.cxx
index ab42e59a..dc7ddea6 100644
--- a/common/rfb/SMsgReader.cxx
+++ b/common/rfb/SMsgReader.cxx
@@ -293,7 +293,8 @@ void SMsgReader::readExtendedClipboard(rdr::S32 len)
num++;
}
- zis.removeUnderlying();
+ zis.flushUnderlying();
+ zis.setUnderlying(NULL, 0);
handler->handleClipboardProvide(flags, lengths, buffers);
diff --git a/common/rfb/TightDecoder.cxx b/common/rfb/TightDecoder.cxx
index 5b7c553d..ebc98b06 100644
--- a/common/rfb/TightDecoder.cxx
+++ b/common/rfb/TightDecoder.cxx
@@ -341,7 +341,8 @@ void TightDecoder::decodeRect(const Rect& r, const void* buffer,
zis[streamId].readBytes(netbuf, dataSize);
- zis[streamId].removeUnderlying();
+ zis[streamId].flushUnderlying();
+ zis[streamId].setUnderlying(NULL, 0);
delete ms;
bufptr = netbuf;
diff --git a/common/rfb/zrleDecode.h b/common/rfb/zrleDecode.h
index 32b5c92b..f4325385 100644
--- a/common/rfb/zrleDecode.h
+++ b/common/rfb/zrleDecode.h
@@ -174,7 +174,8 @@ void ZRLE_DECODE (const Rect& r, rdr::InStream* is,
}
}
- zis->removeUnderlying();
+ zis->flushUnderlying();
+ zis->setUnderlying(NULL, 0);
}
#undef ZRLE_DECODE