1 files changed, 31 insertions, 0 deletions

diff --git a/net-misc/vino/files/CVE-2014-6053.patch b/net-misc/vino/files/CVE-2014-6053.patch
new file mode 100644
index 000000000000..8830c30f870d
--- /dev/null
+++ b/net-misc/vino/files/CVE-2014-6053.patch
@@ -0,0 +1,31 @@
+From b1bfadcbfd88970c6d48672e2dbcca8713c91411 Mon Sep 17 00:00:00 2001
+From: Nicolas Ruff <nruff@google.com>
+Date: Mon, 18 Aug 2014 15:16:16 +0200
+Subject: [PATCH 1/3] Check malloc() return value on client->server
+ ClientCutText message. Client can send up to 2**32-1 bytes of text, and such
+ a large allocation is likely to fail in case of high memory pressure. This
+ would in a server crash (write at address 0).
+
+---
+ server/libvncserver/rfbserver.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/server/libvncserver/rfbserver.c b/server/libvncserver/rfbserver.c
+index a880b53..2615dc3 100644
+--- a/server/libvncserver/rfbserver.c
++++ b/server/libvncserver/rfbserver.c
+@@ -853,6 +853,11 @@ rfbProcessClientNormalMessage(rfbClientPtr cl)
+ 	msg.cct.length = Swap32IfLE(msg.cct.length);
+ 
+ 	str = (char *)malloc(msg.cct.length);
++	if (str == NULL) {
++		rfbLogPerror("rfbProcessClientNormalMessage: not enough memory");
++		rfbCloseClient(cl);
++		return;
++	}
+ 
+ 	if ((n = ReadExact(cl, str, msg.cct.length)) <= 0) {
+ 	    if (n != 0)
+-- 
+2.20.1
+