-
Christian Beier authored
Fixes (maybe amongst others) the following oCERT report ([oCERT-2014-008]): LibVNCServer HandleRFBServerMessage rfbServerCutText malicious msg.sct.length It looks like there may be a chance for potential memory corruption when a LibVNCServer client attempts to process a Server Cut Text message. case rfbServerCutText: { char *buffer; if (!ReadFromRFBServer(client, ((char *)&msg) + 1, sz_rfbServerCutTextMsg - 1)) return FALSE; msg.sct.length = rfbClientSwap32IfLE(msg.sct.length); << Retrieve malicious length buffer = malloc(msg.sct.length+1); << Allocate buffer. Can return 0x0 if (!ReadFromRFBServer(client, buffer, msg.sct.length)) << Attempt to write to buffer return FALSE; buffer[msg.sct.length] = 0; << Attempt to write to buffer if (client->GotXCutText) client->GotXCutText(client, buffer, msg.sct.length); << Attempt to write to buffer free(buffer); break; } If a message is provided with an extremely large size it is possible to cause the malloc to fail, further leading to an attempt to write 0x0.95efcfbf
