-
Christian Beier authored
Fixes (maybe amongst others) the following oCERT report ([oCERT-2014-008]): LibVNCServer HandleRFBServerMessage rfbServerCutText malicious msg.sct.length It looks like there may be a chance for potential memory corruption when a LibVNCServer client attempts to process a Server Cut Text message. case rfbServerCutText: { char *buffer; if (!ReadFromRFBServer(client, ((char *)&msg) + 1, sz_rfbServerCutTextMsg - 1)) return FALSE; msg.sct.length = rfbClientSwap32IfLE(msg.sct.length); << Retrieve malicious length buffer = malloc(msg.sct.length+1); << Allocate buffer. Can return 0x0 if (!ReadFromRFBServer(client, buffer, msg.sct.length)) << Attempt to write to buffer return FALSE; buffer[msg.sct.length] = 0; << Attempt to write to buffer if (client->GotXCutText) client->GotXCutText(client, buffer, msg.sct.length); << Attempt to write to buffer free(buffer); break; } If a message is provided with an extremely large size it is possible to cause the malloc to fail, further leading to an attempt to write 0x0.95efcfbf
| Name |
Last commit
|
Last update |
|---|---|---|
| .. | ||
| Makefile.am | ||
| corre.c | ||
| cursor.c | ||
| h264.c | ||
| hextile.c | ||
| listen.c | ||
| rfbproto.c | ||
| rre.c | ||
| sockets.c | ||
| tight.c | ||
| tls.h | ||
| tls_gnutls.c | ||
| tls_none.c | ||
| tls_openssl.c | ||
| ultra.c | ||
| vncviewer.c | ||
| zlib.c | ||
| zrle.c |