Fix heap overflow in the ultra.c decoder

The Ultra type tile decoder does not use the _safe variant of the LZO
decompress function, which allows a maliciuous server to overwrite parts of the
heap by sending a larger-than-specified LZO data stream.
pull/1/head
Josef Gajdusek 6 years ago
parent 5418e8007c
commit 5fff4353f6
  1. 8
      libvncclient/ultra.c

@ -86,14 +86,14 @@ HandleUltraBPP (rfbClient* client, int rx, int ry, int rw, int rh)
/* uncompress the data */
uncompressedBytes = client->raw_buffer_size;
inflateResult = lzo1x_decompress(
inflateResult = lzo1x_decompress_safe(
(lzo_byte *)client->ultra_buffer, toRead,
(lzo_byte *)client->raw_buffer, (lzo_uintp) &uncompressedBytes,
NULL);
/* Note that uncompressedBytes will be 0 on output overrun */
if ((rw * rh * (BPP / 8)) != uncompressedBytes)
rfbClientLog("Ultra decompressed too little (%d < %d)", (rw * rh * (BPP / 8)), uncompressedBytes);
rfbClientLog("Ultra decompressed unexpected amount of data (%d != %d)\n", (rw * rh * (BPP / 8)), uncompressedBytes);
/* Put the uncompressed contents of the update on the screen. */
if ( inflateResult == LZO_E_OK )
@ -168,7 +168,7 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh)
/* uncompress the data */
uncompressedBytes = client->raw_buffer_size;
inflateResult = lzo1x_decompress(
inflateResult = lzo1x_decompress_safe(
(lzo_byte *)client->ultra_buffer, toRead,
(lzo_byte *)client->raw_buffer, &uncompressedBytes, NULL);
if ( inflateResult != LZO_E_OK )

Loading…
Cancel
Save