Patch-Mainline: To be upstreamed
References: bnc#900896 CVE-2014-8240
Signed-off-by: Michal Srb <msrb@suse.com>

Index: tigervnc-1.4.1/unix/x0vncserver/Image.cxx
===================================================================
--- tigervnc-1.4.1.orig/unix/x0vncserver/Image.cxx
+++ tigervnc-1.4.1/unix/x0vncserver/Image.cxx
@@ -80,6 +80,14 @@ void Image::Init(int width, int height)
   xim = XCreateImage(dpy, vis, DefaultDepth(dpy, DefaultScreen(dpy)),
                      ZPixmap, 0, 0, width, height, BitmapPad(dpy), 0);
 
+  if (xim->bytes_per_line <= 0 ||
+      xim->height <= 0 ||
+      xim->height >= INT_MAX / xim->bytes_per_line) {
+    vlog.error("Invalid display size");
+    XDestroyImage(xim);
+    exit(1);
+  }
+
   xim->data = (char *)malloc(xim->bytes_per_line * xim->height);
   if (xim->data == NULL) {
     vlog.error("malloc() failed");
@@ -254,6 +262,17 @@ void ShmImage::Init(int width, int heigh
     delete shminfo;
     shminfo = NULL;
     return;
+  }
+
+  if (xim->bytes_per_line <= 0 ||
+      xim->height <= 0 ||
+      xim->height >= INT_MAX / xim->bytes_per_line) {
+    vlog.error("Invalid display size");
+    XDestroyImage(xim);
+    xim = NULL;
+    delete shminfo;
+    shminfo = NULL;
+    return;
   }
 
   shminfo->shmid = shmget(IPC_PRIVATE,
Index: tigervnc-1.4.1/vncviewer/X11PixelBuffer.cxx
===================================================================
--- tigervnc-1.4.1.orig/vncviewer/X11PixelBuffer.cxx
+++ tigervnc-1.4.1/vncviewer/X11PixelBuffer.cxx
@@ -106,6 +106,15 @@ X11PixelBuffer::X11PixelBuffer(int width
     if (!xim)
       throw rfb::Exception(_("Could not create framebuffer image"));
 
+    if (xim->bytes_per_line <= 0 ||
+	xim->height <= 0 ||
+	xim->height >= INT_MAX / xim->bytes_per_line) {
+      if (xim)
+	XDestroyImage(xim);
+      xim = NULL;
+      throw rfb::Exception("Invalid display size");
+    }
+
     xim->data = (char*)malloc(xim->bytes_per_line * xim->height);
     if (!xim->data)
       throw rfb::Exception(_("Not enough memory for framebuffer"));
@@ -172,6 +181,16 @@ int X11PixelBuffer::setupShm()
   if (!xim)
     goto free_shminfo;
 
+  if (xim->bytes_per_line <= 0 ||
+      xim->height <= 0 ||
+      xim->height >= INT_MAX / xim->bytes_per_line) {
+    XDestroyImage(xim);
+    xim = NULL;
+    delete shminfo;
+    shminfo = NULL;
+    throw rfb::Exception("Invalid display size");
+  }
+
   shminfo->shmid = shmget(IPC_PRIVATE,
                           xim->bytes_per_line * xim->height,
                           IPC_CREAT|0777);