51 lines
1.2 KiB
Diff
51 lines
1.2 KiB
Diff
https://bugs.gentoo.org/527088
|
|
|
|
From e6908bfe8e07f2b452e78e677da1b45b1c0f6829 Mon Sep 17 00:00:00 2001
|
|
From: Petr Matousek <pmatouse@redhat.com>
|
|
Date: Mon, 27 Oct 2014 12:41:44 +0100
|
|
Subject: [PATCH] vnc: sanitize bits_per_pixel from the client
|
|
|
|
bits_per_pixel that are less than 8 could result in accessing
|
|
non-initialized buffers later in the code due to the expectation
|
|
that bytes_per_pixel value that is used to initialize these buffers is
|
|
never zero.
|
|
|
|
To fix this check that bits_per_pixel from the client is one of the
|
|
values that the rfb protocol specification allows.
|
|
|
|
This is CVE-2014-7815.
|
|
|
|
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
|
|
|
|
[ kraxel: apply codestyle fix ]
|
|
|
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
---
|
|
ui/vnc.c | 10 ++++++++++
|
|
1 file changed, 10 insertions(+)
|
|
|
|
diff --git a/ui/vnc.c b/ui/vnc.c
|
|
index 0fe6eff..8bca597 100644
|
|
--- a/ui/vnc.c
|
|
+++ b/ui/vnc.c
|
|
@@ -2026,6 +2026,16 @@ static void set_pixel_format(VncState *vs,
|
|
return;
|
|
}
|
|
|
|
+ switch (bits_per_pixel) {
|
|
+ case 8:
|
|
+ case 16:
|
|
+ case 32:
|
|
+ break;
|
|
+ default:
|
|
+ vnc_client_error(vs);
|
|
+ return;
|
|
+ }
|
|
+
|
|
vs->client_pf.rmax = red_max;
|
|
vs->client_pf.rbits = hweight_long(red_max);
|
|
vs->client_pf.rshift = red_shift;
|
|
--
|
|
2.1.2
|
|
|