Subversion Repositories

Description: CVE-2018-20024
 null pointer dereference in VNC client code that can result DoS.
---

Author: Abhijith PA <abhijith@debian.org>
Origin: https://github.com/LibVNC/libvncserver/commit/4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7
Bug: https://github.com/LibVNC/libvncserver/issues/254
Bug-Debian: https://bugs.debian.org/916941
Last-Update: 2018-12-23

[sunweaver] Investigate CVE-2018-20024 in ssvnc and find similar issues in zrle.c and zlib.c.
            The ultra.c code that this has originally been reported against is not present in
            ssvnc.

--- a/vnc_unixsrc/vncviewer/zlib.c
+++ b/vnc_unixsrc/vncviewer/zlib.c
@@ -55,6 +55,11 @@
     raw_buffer_size = (( rw * rh ) * ( BPP / 8 ));
     raw_buffer = (char*) malloc( raw_buffer_size );
 
+    if (raw_buffer == NULL) {
+
+       return False;
+
+    }
   }
 
   if (!ReadFromRFBServer((char *)&hdr, sz_rfbZlibHeader))
--- a/vnc_unixsrc/vncviewer/zrle.c
+++ b/vnc_unixsrc/vncviewer/zrle.c
@@ -132,6 +132,12 @@
                raw_buffer_size = min_buffer_size;
                raw_buffer = (char*) malloc( raw_buffer_size );
 
+               if ( raw_buffer == NULL ) {
+
+                       return False;
+
+               }
+
        }
 
        if (!ReadFromRFBServer((char *)&header, sz_rfbZRLEHeader))