forked from mirrors/nixpkgs
2482f8b8dc
Security fixes for: * CVE-2019-8287 * CVE-2019-15678 * CVE-2019-15679 * CVE-2019-15680 mostly adapted from patches fixing similar issues in the actively maintained libvnc (#73970)
20 lines
775 B
Diff
20 lines
775 B
Diff
Adapted from https://github.com/LibVNC/libvncserver/commit/c2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7
|
|
diff --git a/vncviewer/rfbproto.c b/vncviewer/rfbproto.c
|
|
index 04b0230..bd11b54 100644
|
|
--- a/vncviewer/rfbproto.c
|
|
+++ b/vncviewer/rfbproto.c
|
|
@@ -303,7 +303,12 @@ InitialiseRFBConnection(void)
|
|
si.format.blueMax = Swap16IfLE(si.format.blueMax);
|
|
si.nameLength = Swap32IfLE(si.nameLength);
|
|
|
|
- /* FIXME: Check arguments to malloc() calls. */
|
|
+ if (si.nameLength > 1<<20) {
|
|
+ fprintf(stderr, "Too big desktop name length sent by server: %lu B > 1 MB\n",
|
|
+ (unsigned long)si.nameLength);
|
|
+ return False;
|
|
+ }
|
|
+
|
|
desktopName = malloc(si.nameLength + 1);
|
|
if (!desktopName) {
|
|
fprintf(stderr, "Error allocating memory for desktop name, %lu bytes\n",
|