diff options
Diffstat (limited to 'user/libvncserver/CVE-2019-15690.patch')
-rw-r--r-- | user/libvncserver/CVE-2019-15690.patch | 36 |
1 files changed, 0 insertions, 36 deletions
diff --git a/user/libvncserver/CVE-2019-15690.patch b/user/libvncserver/CVE-2019-15690.patch deleted file mode 100644 index 7fe36e454..000000000 --- a/user/libvncserver/CVE-2019-15690.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 54220248886b5001fbbb9fa73c4e1a2cb9413fed Mon Sep 17 00:00:00 2001 -From: Christian Beier <dontmind@freeshell.org> -Date: Sun, 17 Nov 2019 17:18:35 +0100 -Subject: [PATCH] libvncclient/cursor: limit width/height input values - -Avoids a possible heap overflow reported by Pavel Cheremushkin -<Pavel.Cheremushkin@kaspersky.com>. - -re #275 ---- - libvncclient/cursor.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/libvncclient/cursor.c b/libvncclient/cursor.c -index 67f45726..40ffb3b0 100644 ---- a/libvncclient/cursor.c -+++ b/libvncclient/cursor.c -@@ -28,6 +28,8 @@ - #define OPER_SAVE 0 - #define OPER_RESTORE 1 - -+#define MAX_CURSOR_SIZE 1024 -+ - #define RGB24_TO_PIXEL(bpp,r,g,b) \ - ((((uint##bpp##_t)(r) & 0xFF) * client->format.redMax + 127) / 255 \ - << client->format.redShift | \ -@@ -54,6 +56,9 @@ rfbBool HandleCursorShape(rfbClient* client,int xhot, int yhot, int width, int h - if (width * height == 0) - return TRUE; - -+ if (width >= MAX_CURSOR_SIZE || height >= MAX_CURSOR_SIZE) -+ return FALSE; -+ - /* Allocate memory for pixel data and temporary mask data. */ - if(client->rcSource) - free(client->rcSource); |