forked from mirrors/nixpkgs
2482f8b8dc
Security fixes for: * CVE-2019-8287 * CVE-2019-15678 * CVE-2019-15679 * CVE-2019-15680 mostly adapted from patches fixing similar issues in the actively maintained libvnc (#73970)
15 lines
635 B
Diff
15 lines
635 B
Diff
Adapted from https://github.com/LibVNC/libvncserver/commit/7b1ef0ffc4815cab9a96c7278394152bdc89dc4d
|
|
diff --git a/vncviewer/corre.c b/vncviewer/corre.c
|
|
index c846a10..a4c272d 100644
|
|
--- a/vncviewer/corre.c
|
|
+++ b/vncviewer/corre.c
|
|
@@ -56,7 +56,7 @@ HandleCoRREBPP (int rx, int ry, int rw, int rh)
|
|
XChangeGC(dpy, gc, GCForeground, &gcv);
|
|
XFillRectangle(dpy, desktopWin, gc, rx, ry, rw, rh);
|
|
|
|
- if (!ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8))))
|
|
+ if (hdr.nSubrects > BUFFER_SIZE / (4 + (BPP / 8)) || !ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8))))
|
|
return False;
|
|
|
|
ptr = (CARD8 *)buffer;
|