Details | Last modification | View Log | RSS feed
Rev | Author | Line No. | Line |
---|---|---|---|
56 | magnus | 1 | Description: CVE-2018-20024 |
2 | null pointer dereference in VNC client code that can result DoS. |
||
3 | --- |
||
4 | |||
5 | Author: Abhijith PA <abhijith@debian.org> |
||
6 | Origin: https://github.com/LibVNC/libvncserver/commit/4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 |
||
7 | Bug: https://github.com/LibVNC/libvncserver/issues/254 |
||
8 | Bug-Debian: https://bugs.debian.org/916941 |
||
9 | Last-Update: 2018-12-23 |
||
10 | |||
11 | [sunweaver] Investigate CVE-2018-20024 in ssvnc and find similar issues in zrle.c and zlib.c. |
||
12 | The ultra.c code that this has originally been reported against is not present in |
||
13 | ssvnc. |
||
14 | |||
15 | --- a/vnc_unixsrc/vncviewer/zlib.c |
||
16 | +++ b/vnc_unixsrc/vncviewer/zlib.c |
||
17 | @@ -55,6 +55,11 @@ |
||
18 | raw_buffer_size = (( rw * rh ) * ( BPP / 8 )); |
||
19 | raw_buffer = (char*) malloc( raw_buffer_size ); |
||
20 | |||
21 | + if (raw_buffer == NULL) { |
||
22 | + |
||
23 | + return False; |
||
24 | + |
||
25 | + } |
||
26 | } |
||
27 | |||
28 | if (!ReadFromRFBServer((char *)&hdr, sz_rfbZlibHeader)) |
||
29 | --- a/vnc_unixsrc/vncviewer/zrle.c |
||
30 | +++ b/vnc_unixsrc/vncviewer/zrle.c |
||
31 | @@ -132,6 +132,12 @@ |
||
32 | raw_buffer_size = min_buffer_size; |
||
33 | raw_buffer = (char*) malloc( raw_buffer_size ); |
||
34 | |||
35 | + if ( raw_buffer == NULL ) { |
||
36 | + |
||
37 | + return False; |
||
38 | + |
||
39 | + } |
||
40 | + |
||
41 | } |
||
42 | |||
43 | if (!ReadFromRFBServer((char *)&header, sz_rfbZRLEHeader)) |