This ammends 15bb719c03 fix for a heap
out-of-bound write access in rfbProcessFileTransferReadBuffer() when
reading a transfered file content in a server. The former fix did not
work on platforms with a 32-bit int type (expected by rfbReadExact()).
CVE-2018-15127
<https://github.com/LibVNC/libvncserver/issues/243>
<https://github.com/LibVNC/libvncserver/issues/273>
(cherry picked from commit 09e8fc02f59f16e2583b34fe1a270c238bd9ffec)
The TLS macro never has been defined due to the missing
LIBVNCSERVER_HAVE_TLS macro. This revises the macro logic to also cover
Win32 builds with MSVC.
Shifting values > 32768 by 16 places can cause undefined results for
signed integers. Therefore cast color components to unsigned integer
before shifting.
One can only guess what the intended semantics were here, but as every
other rfbCloseClient() call in this file is followed by an immediate
return, let's assume this was forgotton in this case.
Anyway, don't forget to clean up to not leak memory.
Closes #241
As of now, only LibVNCServer makes uses of these digest functions _and_
they depend on sys/uio.h, but in the future LibVNCClient will need those
as well.
These functions can be used to send already compressed jpegs to a
client, circumventing the usual rect/region update methods which
operate on a raw rgb framebuffer. Rename the functions with the usual
rfb prefix and add the prototypes in rfb.h.
Signed-off-by: Eddie James <eajames@us.ibm.com>
This patch constrains a client cut text length to 1 MB. Otherwise
a client could make server allocate 2 GB of memory and that seems to
be to much to classify it as a denial of service.
The limit also prevents from an integer overflow followed by copying
an uninitilized memory when processing msg.cct.length value larger
than SIZE_MAX or INT_MAX - sz_rfbClientCutTextMsg.
This patch also corrects accepting length value of zero (malloc(0) is
interpreted on differnet systems differently).
CVE-2018-7225
<https://github.com/LibVNC/libvncserver/issues/218>
add wstestdata.c, because the python data generation script has too many
dependencies
remove some redundance from jpeg test creation
add support for decoding close messages
modify automake to include ws_decode test
add python frame generator for decode tests
modify configure to only include ws_decode test if preconditions are
fulfilled
fix critical heap-based buffer overflow which allowed easy modification
of a return address via an overwritten function pointer
fix bug causing connections to fail due a "one websocket frame = one
ws_read" assumption, which failed with LibVNCServer-0.9.11
refactor websocket Hybi decode to use a simple state machine for
decoding of websocket frames
Petr Písař
Slávek Banko
Christian Beier
Quentin BUATHIER
Remi Gacogne
Tobias Junghans
Michele Calgaro
DRC
Eddie James
Wu Zongyong
Jocelyn Le Sage
Andreas Weigel
Lioncash