LibVNCClient: fix three possible heap buffer overflows

An attacker could feed `0xffffffff`, causing a `malloc(0)` for the
buffers which are subsequently written to.

Closes #247
pull/3/head
Christian Beier 6 years ago
parent 09f2f3fb6a
commit a83439b9fb
No known key found for this signature in database
GPG Key ID: 421BB3B45C6067F8

@ -433,7 +433,7 @@ rfbHandleAuthResult(rfbClient* client)
/* we have an error following */ /* we have an error following */
if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return FALSE; if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return FALSE;
reasonLen = rfbClientSwap32IfLE(reasonLen); reasonLen = rfbClientSwap32IfLE(reasonLen);
reason = malloc(reasonLen+1); reason = malloc((uint64_t)reasonLen+1);
if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return FALSE; } if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return FALSE; }
reason[reasonLen]=0; reason[reasonLen]=0;
rfbClientLog("VNC connection failed: %s\n",reason); rfbClientLog("VNC connection failed: %s\n",reason);
@ -461,7 +461,7 @@ ReadReason(rfbClient* client)
/* we have an error following */ /* we have an error following */
if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return; if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return;
reasonLen = rfbClientSwap32IfLE(reasonLen); reasonLen = rfbClientSwap32IfLE(reasonLen);
reason = malloc(reasonLen+1); reason = malloc((uint64_t)reasonLen+1);
if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return; } if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return; }
reason[reasonLen]=0; reason[reasonLen]=0;
rfbClientLog("VNC connection failed: %s\n",reason); rfbClientLog("VNC connection failed: %s\n",reason);
@ -2187,10 +2187,12 @@ HandleRFBServerMessage(rfbClient* client)
msg.sct.length = rfbClientSwap32IfLE(msg.sct.length); msg.sct.length = rfbClientSwap32IfLE(msg.sct.length);
buffer = malloc(msg.sct.length+1); buffer = malloc((uint64_t)msg.sct.length+1);
if (!ReadFromRFBServer(client, buffer, msg.sct.length)) if (!ReadFromRFBServer(client, buffer, msg.sct.length)) {
free(buffer);
return FALSE; return FALSE;
}
buffer[msg.sct.length] = 0; buffer[msg.sct.length] = 0;

Loading…
Cancel
Save