| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | | |
| | |
| | |
| | |
| | | |
The principle can be used in a more general fashion than just TCP
streams.
|
| | | | |
|
| | | |
| | |
| | |
| | | |
We can do what we want with the standard methods.
|
| | | |
| | |
| | |
| | |
| | | |
Just have a simply number of bytes argument to avoid a lot of
complexity.
|
| | | |
| | |
| | |
| | |
| | | |
Makes it more readable to write code that needs to know how much
data/space is available in a stream.
|
| | | |
| | |
| | |
| | |
| | | |
It might leak data depending on what's in the buffer. Use pad() instead
where blank space is needed.
|
| | | |
| | |
| | |
| | | |
We need to be able to tell this exception came from a decoder.
|
| | | |
| | |
| | |
| | |
| | | |
There might be some final handshake data that is still stuck in the
buffers, so make a best effort attempt at getting it to the client.
|
| | | |
| | |
| | |
| | |
| | | |
The socket is closed at this point so we have to rely on a cached
value for the logging.
|
| | | |
| | |
| | |
| | |
| | | |
It's a generic feature that is better handled as part of SConnection's
state machine.
|
| | | |
| | |
| | |
| | |
| | |
| | | |
We can't safely use the normal timers in base classes as we cannot
guarantee that subclasses will call the base class' handleTimeout()
properly if the subclass overrides it.
|
| | |/
|/|
| |
| |
| |
| | |
We computed a safe area if a client gave us a bogus one, but we didn't
actually use it. Fix this properly and make sure we don't pass on bad
coordinates further.
|
| | |
| |
| |
| |
| | |
Each character is more than one byte, so adjust the clearing of the
buffer to reflect that.
|
| | |
| |
| |
| |
| | |
Some code points are reserved for the UTF-16 coding itself and must not
appear as input data to the algorithm.
|
| | |
| |
| |
| | |
Signed bug prevented anything not ASCII from being coded correctly.
|
| | |
| |
| |
| |
| | |
Everything outside of BMP was handled incorrectly and was coded as
completely different code points.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This would mess up most conversions from UTF-8 as the caller wouldn't
know how far to step to get to the next valid character, resulting in
markers for invalid data to be injected here and there.
Also add some unit tests to avoid this reoccurring.
|
| |\ \ |
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The previous method stored the certificates as authorities, meaning that
the owner of that certificate could impersonate any server it wanted
after a client had added an exception.
Handle this more properly by only storing exceptions for specific
hostname/certificate combinations, the same way browsers or SSH does
things.
|
| | |
| |
| |
| |
| | |
It should be using the safe wrappers for everything so make sure it
cannot bypass those and call the SConnection methods directly.
|
| | |
| |
| |
| |
| |
| |
| | |
We incorrectly called the underlying functions instead of the safe
wrappers for the new clipboard functions. This had the effect of a)
crashing the entire server if one of these functions failed, and b) not
respecting the settings disabling the clipboard.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
64x64 changed block can be large for fine changes such as cursor
movement and typing in terminal windows, or an update to a clock.
If the block can be efficiently cropped, this will reduce latency
and bandwidth. Every pixel cropped is a pixel less to analyze, encode,
transmit, and decode.
The previous code already detected the top of the change in order
to determine if the block had changed. However, it did not use
this information to reduce the size of the change rectangle, nor
did it calculate any of the other edges.
The new code introduces detection of the other edges, and uses
the information to build a reduced area change rectangle. This
has the additional effect of reducing the number of discrete pixel
values in the change block which may allow a more efficient
encoding algorithm to be selected.
As this section of code is performance sensitive, the method
of detecting the edges has been optimized to quickly fall back
to pessimistic values as soon as a single comparison fails on
each edge. In the case that full 64x64 block are changing,
there will be three extra comparisons per block.
In cases where the change rectangle can be reduced from 64x64,
the reduced size of the change rectangle represents reduced
effort to encode, transfer, and decode the contained pixels.
In the case of images with high frequency changes, which
specifically includes text, the lossy JPEG encoding can be
highly distorted, especially with JPEG level 6 or less. The
quick flash from a distorted JPEG to a lossless JPEG can
appear as a flickering to some people. This effect was more
obvious when the surrounding area is not expected to change,
but is being distorted anyways due to being part of the 64x64
blocking algorithm.
In the case of a user typing in a terminal window, this change
may commonly reduce the number of pixels updated with every
character typed from 4096 pixels (64x64) to 640 pixels (32x20)
or less.
|
| | |
| |
| |
| |
| |
| | |
Since 8e09912 this wasn't triggered properly as we checked if all
clients were gone before we actually removed the last client from our
list.
|
| |\ \ |
|
| | | |
| | |
| | |
| | | |
Might as well make these explicit so the cost is apparent.
|
| | |/
| |
| |
| |
| | |
This is the current upstream so let's make use of it to get the latest
in features and fixes.
|
| | | |
|
| | |
| |
| |
| |
| | |
The method it overloads got tweaked some time ago, so we need to make
sure this method follows suit.
|
| | |
| |
| |
| |
| | |
Sends response for SetDesktopSize as per the community wiki
specification
|
| |/
|
|
|
| |
We'll just crash later if we try to use such a large screen, so reject
the request from the client instead and keep the server running.
|
| |
|
|
|
| |
It is present on all UNIX systems anyway, so let's simplify things.
We will need it for more proper session startup anyway.
|
| |
|
|
|
|
| |
Modern MinGW seems to provide this, so simplify things a bit. This also
side steps some of the issue of the windows.h/winsock2.h include
ordering.
|
| |
|
|
|
| |
Otherwise such clients cannot use Scroll Lock at all, and that is
probably worse than any effects we might get from getting out of sync.
|
| |
|
|
| |
new throws an exception on allocation errors rather than return NULL.
|
| |
|
|
|
| |
This check is completely backwards and it is currently unknown how
this ever worked.
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Our fast paths assume that each channel fits in to a separate byte.
That means the shift needs to be a multiple of 8. Start actually
checking this so that a client cannot trip us up and possibly cause
incorrect code exection.
Issue found by Pavel Cheremushkin from Kaspersky Lab.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Provides safety against them accidentally becoming negative because
of bugs in the calculations.
Also does the same to CharArray and friends as they were strongly
connection to the stream objects.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Otherwise we might be tricked in to reading and writing things at
incorrect offsets for pixels which ultimately could result in an
attacker writing things to the stack or heap and executing things
they shouldn't.
This only affects the server as the client never uses the pixel
format suggested by th server.
Issue found by Pavel Cheremushkin from Kaspersky Lab.
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We always assumed there would be one pixel per row so a rect with
a zero width would result in us writing to unknown memory.
This could theoretically be used by a malicious server to inject
code in to the viewer process.
Issue found by Pavel Cheremushkin from Kaspersky Lab.
|
| | |
| |
| |
| |
| |
| | |
No one should every try to write to this buffer. Enforce that by
throwing an exception if any one tries to get a writeable pointer
to the data.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We do a lot of calculations based on pixel coordinates and we need
to make sure they do not overflow. Restrict the maximum dimensions
we support rather than try to switch over all calculations to use
64 bit integers.
This prevents attackers from from injecting code by specifying a
huge framebuffer size and relying on the values overflowing to
access invalid areas of the heap.
This primarily affects the client which gets both the screen
dimensions and the pixel contents from the remote side. But the
server might also be affected as a client can adjust the screen
dimensions, as can applications inside the session.
Issue found by Pavel Cheremushkin from Kaspersky Lab.
|
| | |
| |
| |
| |
| |
| | |
Don't allow subclasses to just override dimensions or buffer details
directly and instead force them to go via methods. This allows us
to do sanity checks on the new values and catch bugs and attacks.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Move the checks around to avoid missing cases where we might access
memory that is no longer valid. Also avoid touching the underlying
stream implicitly (e.g. via the destructor) as it might also no
longer be valid.
A malicious server could theoretically use this for remote code
execution in the client.
Issue found by Pavel Cheremushkin from Kaspersky Lab
|
| |/
|
|
|
| |
The copied rects have already been merged in to the changed rects
at this point if the client doesn't support the CopyRect encoding.
|
| |\ |
|
| | | |
|
| | |
| |
| |
| |
| | |
We need to examine the incoming PixelBuffer, not the previous one
(which might not even be valid).
|
