diff options
author | Josef Gajdusek <atx@atx.name> | 2016-11-14 12:38:05 +0100 |
---|---|---|
committer | Josef Gajdusek <atx@atx.name> | 2016-11-14 12:51:50 +0100 |
commit | 5fff4353f66427b467eb29e5fdc1da4f2be028bb (patch) | |
tree | 4f3886346bc97e7a7e2abd0e3be28845b216dea3 | |
parent | 5418e8007c248bf9668d22a8c1fa9528149b69f2 (diff) | |
download | libtdevnc-5fff4353f66427b467eb29e5fdc1da4f2be028bb.tar.gz libtdevnc-5fff4353f66427b467eb29e5fdc1da4f2be028bb.zip |
Fix heap overflow in the ultra.c decoder
The Ultra type tile decoder does not use the _safe variant of the LZO
decompress function, which allows a maliciuous server to overwrite parts of the
heap by sending a larger-than-specified LZO data stream.
-rw-r--r-- | libvncclient/ultra.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/libvncclient/ultra.c b/libvncclient/ultra.c index dac89b5..32a1b2b 100644 --- a/libvncclient/ultra.c +++ b/libvncclient/ultra.c @@ -86,14 +86,14 @@ HandleUltraBPP (rfbClient* client, int rx, int ry, int rw, int rh) /* uncompress the data */ uncompressedBytes = client->raw_buffer_size; - inflateResult = lzo1x_decompress( + inflateResult = lzo1x_decompress_safe( (lzo_byte *)client->ultra_buffer, toRead, (lzo_byte *)client->raw_buffer, (lzo_uintp) &uncompressedBytes, NULL); - + /* Note that uncompressedBytes will be 0 on output overrun */ if ((rw * rh * (BPP / 8)) != uncompressedBytes) - rfbClientLog("Ultra decompressed too little (%d < %d)", (rw * rh * (BPP / 8)), uncompressedBytes); + rfbClientLog("Ultra decompressed unexpected amount of data (%d != %d)\n", (rw * rh * (BPP / 8)), uncompressedBytes); /* Put the uncompressed contents of the update on the screen. */ if ( inflateResult == LZO_E_OK ) @@ -168,7 +168,7 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh) /* uncompress the data */ uncompressedBytes = client->raw_buffer_size; - inflateResult = lzo1x_decompress( + inflateResult = lzo1x_decompress_safe( (lzo_byte *)client->ultra_buffer, toRead, (lzo_byte *)client->raw_buffer, &uncompressedBytes, NULL); if ( inflateResult != LZO_E_OK ) |