diff options
Diffstat (limited to 'net-misc/vino/files/CVE-2014-6053.patch')
-rw-r--r-- | net-misc/vino/files/CVE-2014-6053.patch | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/net-misc/vino/files/CVE-2014-6053.patch b/net-misc/vino/files/CVE-2014-6053.patch new file mode 100644 index 000000000000..8830c30f870d --- /dev/null +++ b/net-misc/vino/files/CVE-2014-6053.patch @@ -0,0 +1,31 @@ +From b1bfadcbfd88970c6d48672e2dbcca8713c91411 Mon Sep 17 00:00:00 2001 +From: Nicolas Ruff <nruff@google.com> +Date: Mon, 18 Aug 2014 15:16:16 +0200 +Subject: [PATCH 1/3] Check malloc() return value on client->server + ClientCutText message. Client can send up to 2**32-1 bytes of text, and such + a large allocation is likely to fail in case of high memory pressure. This + would in a server crash (write at address 0). + +--- + server/libvncserver/rfbserver.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/server/libvncserver/rfbserver.c b/server/libvncserver/rfbserver.c +index a880b53..2615dc3 100644 +--- a/server/libvncserver/rfbserver.c ++++ b/server/libvncserver/rfbserver.c +@@ -853,6 +853,11 @@ rfbProcessClientNormalMessage(rfbClientPtr cl) + msg.cct.length = Swap32IfLE(msg.cct.length); + + str = (char *)malloc(msg.cct.length); ++ if (str == NULL) { ++ rfbLogPerror("rfbProcessClientNormalMessage: not enough memory"); ++ rfbCloseClient(cl); ++ return; ++ } + + if ((n = ReadExact(cl, str, msg.cct.length)) <= 0) { + if (n != 0) +-- +2.20.1 + |