From 623ee73d661e5ed8475cb264511f683407d87365 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Sun, 12 Apr 2020 03:41:30 +0100 Subject: gentoo Easter resync : 12.04.2020 --- .../files/libvncserver-0.9.12-CVE-2019-15690.patch | 39 ++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 net-libs/libvncserver/files/libvncserver-0.9.12-CVE-2019-15690.patch (limited to 'net-libs/libvncserver/files') diff --git a/net-libs/libvncserver/files/libvncserver-0.9.12-CVE-2019-15690.patch b/net-libs/libvncserver/files/libvncserver-0.9.12-CVE-2019-15690.patch new file mode 100644 index 000000000000..5ef290129c72 --- /dev/null +++ b/net-libs/libvncserver/files/libvncserver-0.9.12-CVE-2019-15690.patch @@ -0,0 +1,39 @@ +From 54220248886b5001fbbb9fa73c4e1a2cb9413fed Mon Sep 17 00:00:00 2001 +From: Christian Beier +Date: Sun, 17 Nov 2019 17:18:35 +0100 +Subject: [PATCH] libvncclient/cursor: limit width/height input values + +Avoids a possible heap overflow reported by Pavel Cheremushkin +. + +re #275 +--- + libvncclient/cursor.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libvncclient/cursor.c b/libvncclient/cursor.c +index 67f4572..40ffb3b 100644 +--- a/libvncclient/cursor.c ++++ b/libvncclient/cursor.c +@@ -28,6 +28,8 @@ + #define OPER_SAVE 0 + #define OPER_RESTORE 1 + ++#define MAX_CURSOR_SIZE 1024 ++ + #define RGB24_TO_PIXEL(bpp,r,g,b) \ + ((((uint##bpp##_t)(r) & 0xFF) * client->format.redMax + 127) / 255 \ + << client->format.redShift | \ +@@ -54,6 +56,9 @@ rfbBool HandleCursorShape(rfbClient* client,int xhot, int yhot, int width, int h + if (width * height == 0) + return TRUE; + ++ if (width >= MAX_CURSOR_SIZE || height >= MAX_CURSOR_SIZE) ++ return FALSE; ++ + /* Allocate memory for pixel data and temporary mask data. */ + if(client->rcSource) + free(client->rcSource); +-- +2.24.1 + -- cgit v1.2.3