Skip to content

L
libvncserver
Commit 85a778c0 authored by newsoft's avatar newsoft
Browse files
Options

Check for MallocFrameBuffer() return value 

If MallocFrameBuffer() returns FALSE, frame buffer pointer is left to
NULL. Subsequent writes into that buffer could lead to memory
corruption, or even arbitrary code execution.
parent 045a044e
Hide whitespace changes
Inline Side-by-side
Showing with 9 additions and 4 deletions
libvncclient/rfbproto.c
View file @ 85a778c0
...@@ -1829,7 +1829,8 @@ HandleRFBServerMessage(rfbClient* client) ...@@ -1829,7 +1829,8 @@ HandleRFBServerMessage(rfbClient* client)
client->updateRect.x = client->updateRect.y = 0; client->updateRect.x = client->updateRect.y = 0;
client->updateRect.w = client->width; client->updateRect.w = client->width;
client->updateRect.h = client->height; client->updateRect.h = client->height;
client->MallocFrameBuffer(client); if (!client->MallocFrameBuffer(client))
return FALSE;
SendFramebufferUpdateRequest(client, 0, 0, rect.r.w, rect.r.h, FALSE); SendFramebufferUpdateRequest(client, 0, 0, rect.r.w, rect.r.h, FALSE);
rfbClientLog("Got new framebuffer size: %dx%d\n", rect.r.w, rect.r.h); rfbClientLog("Got new framebuffer size: %dx%d\n", rect.r.w, rect.r.h);
continue; continue;
...@@ -2290,7 +2291,9 @@ HandleRFBServerMessage(rfbClient* client) ...@@ -2290,7 +2291,9 @@ HandleRFBServerMessage(rfbClient* client)
client->updateRect.x = client->updateRect.y = 0; client->updateRect.x = client->updateRect.y = 0;
client->updateRect.w = client->width; client->updateRect.w = client->width;
client->updateRect.h = client->height; client->updateRect.h = client->height;
client->MallocFrameBuffer(client); if (!client->MallocFrameBuffer(client))
return FALSE;
SendFramebufferUpdateRequest(client, 0, 0, client->width, client->height, FALSE); SendFramebufferUpdateRequest(client, 0, 0, client->width, client->height, FALSE);
rfbClientLog("Got new framebuffer size: %dx%d\n", client->width, client->height); rfbClientLog("Got new framebuffer size: %dx%d\n", client->width, client->height);
break; break;
...@@ -2306,7 +2309,8 @@ HandleRFBServerMessage(rfbClient* client) ...@@ -2306,7 +2309,8 @@ HandleRFBServerMessage(rfbClient* client)
client->updateRect.x = client->updateRect.y = 0; client->updateRect.x = client->updateRect.y = 0;
client->updateRect.w = client->width; client->updateRect.w = client->width;
client->updateRect.h = client->height; client->updateRect.h = client->height;
client->MallocFrameBuffer(client); if (!client->MallocFrameBuffer(client))
return FALSE;
SendFramebufferUpdateRequest(client, 0, 0, client->width, client->height, FALSE); SendFramebufferUpdateRequest(client, 0, 0, client->width, client->height, FALSE);
rfbClientLog("Got new framebuffer size: %dx%d\n", client->width, client->height); rfbClientLog("Got new framebuffer size: %dx%d\n", client->width, client->height);
break; break;
......
libvncclient/vncviewer.c
View file @ 85a778c0
...@@ -250,7 +250,8 @@ static rfbBool rfbInitConnection(rfbClient* client) ...@@ -250,7 +250,8 @@ static rfbBool rfbInitConnection(rfbClient* client)
client->width=client->si.framebufferWidth; client->width=client->si.framebufferWidth;
client->height=client->si.framebufferHeight; client->height=client->si.framebufferHeight;
client->MallocFrameBuffer(client); if (!client->MallocFrameBuffer(client))
return FALSE;
if (!SetFormatAndEncodings(client)) if (!SetFormatAndEncodings(client))
return FALSE; return FALSE;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment