summaryrefslogtreecommitdiff
path: root/user/libvncserver/CVE-2019-15690.patch
blob: 7fe36e45466566099524e93e3e84b4487c094a2b (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
From 54220248886b5001fbbb9fa73c4e1a2cb9413fed Mon Sep 17 00:00:00 2001
From: Christian Beier <dontmind@freeshell.org>
Date: Sun, 17 Nov 2019 17:18:35 +0100
Subject: [PATCH] libvncclient/cursor: limit width/height input values

Avoids a possible heap overflow reported by Pavel Cheremushkin
<Pavel.Cheremushkin@kaspersky.com>.

re #275
---
 libvncclient/cursor.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libvncclient/cursor.c b/libvncclient/cursor.c
index 67f45726..40ffb3b0 100644
--- a/libvncclient/cursor.c
+++ b/libvncclient/cursor.c
@@ -28,6 +28,8 @@
 #define OPER_SAVE     0
 #define OPER_RESTORE  1
 
+#define MAX_CURSOR_SIZE 1024
+
 #define RGB24_TO_PIXEL(bpp,r,g,b)                                       \
    ((((uint##bpp##_t)(r) & 0xFF) * client->format.redMax + 127) / 255             \
     << client->format.redShift |                                              \
@@ -54,6 +56,9 @@ rfbBool HandleCursorShape(rfbClient* client,int xhot, int yhot, int width, int h
   if (width * height == 0)
     return TRUE;
 
+  if (width >= MAX_CURSOR_SIZE || height >= MAX_CURSOR_SIZE)
+    return FALSE;
+
   /* Allocate memory for pixel data and temporary mask data. */
   if(client->rcSource)
     free(client->rcSource);