Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/net-misc/tigervnc/files/1.3.1-CVE-2014-8240.patch
diff options
context:
space:
mode:
Diffstat (limited to 'net-misc/tigervnc/files/1.3.1-CVE-2014-8240.patch')
-rw-r--r--net-misc/tigervnc/files/1.3.1-CVE-2014-8240.patch78
1 files changed, 78 insertions, 0 deletions
diff --git a/net-misc/tigervnc/files/1.3.1-CVE-2014-8240.patch b/net-misc/tigervnc/files/1.3.1-CVE-2014-8240.patch
new file mode 100644
index 000000000000..dd2707394870
--- /dev/null
+++ b/net-misc/tigervnc/files/1.3.1-CVE-2014-8240.patch
@@ -0,0 +1,78 @@
+Patch-Mainline: To be upstreamed
+References: bnc#900896 CVE-2014-8240
+Signed-off-by: Michal Srb <msrb@suse.com>
+
+Index: tigervnc-1.4.1/unix/x0vncserver/Image.cxx
+===================================================================
+--- tigervnc-1.4.1.orig/unix/x0vncserver/Image.cxx
++++ tigervnc-1.4.1/unix/x0vncserver/Image.cxx
+@@ -80,6 +80,14 @@ void Image::Init(int width, int height)
+ xim = XCreateImage(dpy, vis, DefaultDepth(dpy, DefaultScreen(dpy)),
+ ZPixmap, 0, 0, width, height, BitmapPad(dpy), 0);
+
++ if (xim->bytes_per_line <= 0 ||
++ xim->height <= 0 ||
++ xim->height >= INT_MAX / xim->bytes_per_line) {
++ vlog.error("Invalid display size");
++ XDestroyImage(xim);
++ exit(1);
++ }
++
+ xim->data = (char *)malloc(xim->bytes_per_line * xim->height);
+ if (xim->data == NULL) {
+ vlog.error("malloc() failed");
+@@ -254,6 +262,17 @@ void ShmImage::Init(int width, int heigh
+ delete shminfo;
+ shminfo = NULL;
+ return;
++ }
++
++ if (xim->bytes_per_line <= 0 ||
++ xim->height <= 0 ||
++ xim->height >= INT_MAX / xim->bytes_per_line) {
++ vlog.error("Invalid display size");
++ XDestroyImage(xim);
++ xim = NULL;
++ delete shminfo;
++ shminfo = NULL;
++ return;
+ }
+
+ shminfo->shmid = shmget(IPC_PRIVATE,
+Index: tigervnc-1.4.1/vncviewer/X11PixelBuffer.cxx
+===================================================================
+--- tigervnc-1.4.1.orig/vncviewer/X11PixelBuffer.cxx
++++ tigervnc-1.4.1/vncviewer/X11PixelBuffer.cxx
+@@ -106,6 +106,15 @@ X11PixelBuffer::X11PixelBuffer(int width
+ if (!xim)
+ throw rfb::Exception(_("Could not create framebuffer image"));
+
++ if (xim->bytes_per_line <= 0 ||
++ xim->height <= 0 ||
++ xim->height >= INT_MAX / xim->bytes_per_line) {
++ if (xim)
++ XDestroyImage(xim);
++ xim = NULL;
++ throw rfb::Exception("Invalid display size");
++ }
++
+ xim->data = (char*)malloc(xim->bytes_per_line * xim->height);
+ if (!xim->data)
+ throw rfb::Exception(_("Not enough memory for framebuffer"));
+@@ -172,6 +181,16 @@ int X11PixelBuffer::setupShm()
+ if (!xim)
+ goto free_shminfo;
+
++ if (xim->bytes_per_line <= 0 ||
++ xim->height <= 0 ||
++ xim->height >= INT_MAX / xim->bytes_per_line) {
++ XDestroyImage(xim);
++ xim = NULL;
++ delete shminfo;
++ shminfo = NULL;
++ throw rfb::Exception("Invalid display size");
++ }
++
+ shminfo->shmid = shmget(IPC_PRIVATE,
+ xim->bytes_per_line * xim->height,
+ IPC_CREAT|0777);