jeans/motioneyeos
jeans/motioneyeos
1
0
Fork 0
mirror of https://github.com/motioneye-project/motioneyeos.git synced 2025-07-27 13:16:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

package/libvncserver: fix CVE-2019-20788

Browse Source 
libvncclient/cursor.c in LibVNCServer through 0.9.12 has a
HandleCursorShape integer overflow and heap-based buffer overflow via a
large height or width value. NOTE: this may overlap CVE-2019-15690.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit is contained in:
Fabrice Fontaine 2020-05-02 22:07:47 +02:00 committed by Peter Korsgaard
parent fb8186d53e
commit 705adbaf9a
2 changed files with 43 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
package/libvncserver/0006-libvncclient-cursor-limit-width-height-input-values.patch Normal file
View File

@ -0,0 +1,40 @@
From 54220248886b5001fbbb9fa73c4e1a2cb9413fed Mon Sep 17 00:00:00 2001
From: Christian Beier <dontmind@freeshell.org>
Date: Sun, 17 Nov 2019 17:18:35 +0100
Subject: [PATCH] libvncclient/cursor: limit width/height input values
Avoids a possible heap overflow reported by Pavel Cheremushkin
<Pavel.Cheremushkin@kaspersky.com>.
re #275
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Retrieved from:
https://github.com/LibVNC/libvncserver/commit/54220248886b5001fbbb9fa73c4e1a2cb9413fed]
---
libvncclient/cursor.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libvncclient/cursor.c b/libvncclient/cursor.c
index 67f45726..40ffb3b0 100644
--- a/libvncclient/cursor.c
+++ b/libvncclient/cursor.c
@@ -28,6 +28,8 @@
#define OPER_SAVE 0
#define OPER_RESTORE 1
+#define MAX_CURSOR_SIZE 1024
+
#define RGB24_TO_PIXEL(bpp,r,g,b) \
((((uint##bpp##_t)(r) & 0xFF) * client->format.redMax + 127) / 255 \
<< client->format.redShift | \
@@ -54,6 +56,9 @@ rfbBool HandleCursorShape(rfbClient* client,int xhot, int yhot, int width, int h
if (width * height == 0)
return TRUE;
+ if (width >= MAX_CURSOR_SIZE || height >= MAX_CURSOR_SIZE)
+ return FALSE;
+
/* Allocate memory for pixel data and temporary mask data. */
if(client->rcSource)
free(client->rcSource);

3
package/libvncserver/libvncserver.mk
View File

@ -19,6 +19,9 @@ LIBVNCSERVER_IGNORE_CVES += CVE-2018-20750
# 0004-rfbserver-don-t-leak-stack-memory-to-the-remote.patch # 0004-rfbserver-don-t-leak-stack-memory-to-the-remote.patch
LIBVNCSERVER_IGNORE_CVES += CVE-2019-15681 LIBVNCSERVER_IGNORE_CVES += CVE-2019-15681
# 0006-libvncclient-cursor-limit-width-height-input-values.patch
LIBVNCSERVER_IGNORE_CVES += CVE-2019-20788
# only used for examples # only used for examples
LIBVNCSERVER_CONF_OPTS += \ LIBVNCSERVER_CONF_OPTS += \
-DWITH_FFMPEG=OFF \ -DWITH_FFMPEG=OFF \