diff options
Diffstat (limited to 'net-misc/tigervnc/files/1.3.1-CVE-2014-8240.patch')
-rw-r--r-- | net-misc/tigervnc/files/1.3.1-CVE-2014-8240.patch | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/net-misc/tigervnc/files/1.3.1-CVE-2014-8240.patch b/net-misc/tigervnc/files/1.3.1-CVE-2014-8240.patch new file mode 100644 index 000000000000..dd2707394870 --- /dev/null +++ b/net-misc/tigervnc/files/1.3.1-CVE-2014-8240.patch @@ -0,0 +1,78 @@ +Patch-Mainline: To be upstreamed +References: bnc#900896 CVE-2014-8240 +Signed-off-by: Michal Srb <msrb@suse.com> + +Index: tigervnc-1.4.1/unix/x0vncserver/Image.cxx +=================================================================== +--- tigervnc-1.4.1.orig/unix/x0vncserver/Image.cxx ++++ tigervnc-1.4.1/unix/x0vncserver/Image.cxx +@@ -80,6 +80,14 @@ void Image::Init(int width, int height) + xim = XCreateImage(dpy, vis, DefaultDepth(dpy, DefaultScreen(dpy)), + ZPixmap, 0, 0, width, height, BitmapPad(dpy), 0); + ++ if (xim->bytes_per_line <= 0 || ++ xim->height <= 0 || ++ xim->height >= INT_MAX / xim->bytes_per_line) { ++ vlog.error("Invalid display size"); ++ XDestroyImage(xim); ++ exit(1); ++ } ++ + xim->data = (char *)malloc(xim->bytes_per_line * xim->height); + if (xim->data == NULL) { + vlog.error("malloc() failed"); +@@ -254,6 +262,17 @@ void ShmImage::Init(int width, int heigh + delete shminfo; + shminfo = NULL; + return; ++ } ++ ++ if (xim->bytes_per_line <= 0 || ++ xim->height <= 0 || ++ xim->height >= INT_MAX / xim->bytes_per_line) { ++ vlog.error("Invalid display size"); ++ XDestroyImage(xim); ++ xim = NULL; ++ delete shminfo; ++ shminfo = NULL; ++ return; + } + + shminfo->shmid = shmget(IPC_PRIVATE, +Index: tigervnc-1.4.1/vncviewer/X11PixelBuffer.cxx +=================================================================== +--- tigervnc-1.4.1.orig/vncviewer/X11PixelBuffer.cxx ++++ tigervnc-1.4.1/vncviewer/X11PixelBuffer.cxx +@@ -106,6 +106,15 @@ X11PixelBuffer::X11PixelBuffer(int width + if (!xim) + throw rfb::Exception(_("Could not create framebuffer image")); + ++ if (xim->bytes_per_line <= 0 || ++ xim->height <= 0 || ++ xim->height >= INT_MAX / xim->bytes_per_line) { ++ if (xim) ++ XDestroyImage(xim); ++ xim = NULL; ++ throw rfb::Exception("Invalid display size"); ++ } ++ + xim->data = (char*)malloc(xim->bytes_per_line * xim->height); + if (!xim->data) + throw rfb::Exception(_("Not enough memory for framebuffer")); +@@ -172,6 +181,16 @@ int X11PixelBuffer::setupShm() + if (!xim) + goto free_shminfo; + ++ if (xim->bytes_per_line <= 0 || ++ xim->height <= 0 || ++ xim->height >= INT_MAX / xim->bytes_per_line) { ++ XDestroyImage(xim); ++ xim = NULL; ++ delete shminfo; ++ shminfo = NULL; ++ throw rfb::Exception("Invalid display size"); ++ } ++ + shminfo->shmid = shmget(IPC_PRIVATE, + xim->bytes_per_line * xim->height, + IPC_CREAT|0777); |