summaryrefslogtreecommitdiff
path: root/user/libvncserver/CVE-2019-15690.patch
diff options
context:
space:
mode:
Diffstat (limited to 'user/libvncserver/CVE-2019-15690.patch')
-rw-r--r--user/libvncserver/CVE-2019-15690.patch36
1 files changed, 0 insertions, 36 deletions
diff --git a/user/libvncserver/CVE-2019-15690.patch b/user/libvncserver/CVE-2019-15690.patch
deleted file mode 100644
index 7fe36e454..000000000
--- a/user/libvncserver/CVE-2019-15690.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 54220248886b5001fbbb9fa73c4e1a2cb9413fed Mon Sep 17 00:00:00 2001
-From: Christian Beier <dontmind@freeshell.org>
-Date: Sun, 17 Nov 2019 17:18:35 +0100
-Subject: [PATCH] libvncclient/cursor: limit width/height input values
-
-Avoids a possible heap overflow reported by Pavel Cheremushkin
-<Pavel.Cheremushkin@kaspersky.com>.
-
-re #275
----
- libvncclient/cursor.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/libvncclient/cursor.c b/libvncclient/cursor.c
-index 67f45726..40ffb3b0 100644
---- a/libvncclient/cursor.c
-+++ b/libvncclient/cursor.c
-@@ -28,6 +28,8 @@
- #define OPER_SAVE 0
- #define OPER_RESTORE 1
-
-+#define MAX_CURSOR_SIZE 1024
-+
- #define RGB24_TO_PIXEL(bpp,r,g,b) \
- ((((uint##bpp##_t)(r) & 0xFF) * client->format.redMax + 127) / 255 \
- << client->format.redShift | \
-@@ -54,6 +56,9 @@ rfbBool HandleCursorShape(rfbClient* client,int xhot, int yhot, int width, int h
- if (width * height == 0)
- return TRUE;
-
-+ if (width >= MAX_CURSOR_SIZE || height >= MAX_CURSOR_SIZE)
-+ return FALSE;
-+
- /* Allocate memory for pixel data and temporary mask data. */
- if(client->rcSource)
- free(client->rcSource);