diff options
| -rw-r--r-- | .gitignore | 60 | ||||
| -rw-r--r-- | common/turbojpeg.c | 6 | ||||
| -rw-r--r-- | common/vncauth.c | 5 | ||||
| -rw-r--r-- | libvncclient/rfbproto.c | 50 | ||||
| -rw-r--r-- | libvncserver/tableinit24.c | 11 | ||||
| -rw-r--r-- | libvncserver/websockets.c | 11 | ||||
| -rw-r--r-- | test/tjbench.c | 15 |
7 files changed, 115 insertions, 43 deletions
diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8121c9d --- /dev/null +++ b/.gitignore @@ -0,0 +1,60 @@ +*.swp +*~ +Makefile +Makefile.in +LibVNCServer.spec.in +LibVNCServer.spec +libvncserver-config +*.pc +LibVNCServer*.tar.gz +config.h.in +rfbconfig.h +rfbconfig.h.in +*.o +*.a +*.so +*.so.* +client_examples/SDLvncviewer +client_examples/backchannel +client_examples/gtkvncviewer +client_examples/ppmtest +client_examples/vnc2mpg +build/ +examples/zippy +examples/backchannel +examples/blooptest +examples/camera +examples/colourmaptest +examples/example +examples/filetransfer +examples/fontsel +examples/mac +examples/pnmshow +examples/pnmshow24 +examples/regiontest +examples/repeater +examples/rotate +examples/simple +examples/simple15 +examples/storepasswd +examples/vncev +test/blooptest +test/cargstest +test/copyrecttest +test/cursortest +test/encodingstest +test/wstest +/test/tjbench +/test/tjunittest +vncterm/LinuxVNC +vncterm/VNCommand +vncterm/example +/vncterm/linuxvnc +/vncterm/vncommand +CMakeCache.txt +*.cmake +/CMakeFiles +/rfbproto.pdf +/rfbproto.rst +/vencrypt.txt +/INSTALL diff --git a/common/turbojpeg.c b/common/turbojpeg.c index 09df173..934e4f1 100644 --- a/common/turbojpeg.c +++ b/common/turbojpeg.c @@ -468,7 +468,8 @@ static tjhandle _tjInitCompress(tjinstance *this) if(setjmp(this->jerr.setjmp_buffer)) { /* If we get here, the JPEG code has signaled an error. */ - if(this) free(this); return NULL; + if(this) free(this); + return NULL; } jpeg_create_compress(&this->cinfo); @@ -652,7 +653,8 @@ static tjhandle _tjInitDecompress(tjinstance *this) if(setjmp(this->jerr.setjmp_buffer)) { /* If we get here, the JPEG code has signaled an error. */ - if(this) free(this); return NULL; + if(this) free(this); + return NULL; } jpeg_create_decompress(&this->dinfo); diff --git a/common/vncauth.c b/common/vncauth.c index 2a5d96f..81bb10b 100644 --- a/common/vncauth.c +++ b/common/vncauth.c @@ -207,8 +207,9 @@ rfbEncryptBytes2(unsigned char *where, const int length, unsigned char *key) { where[i] ^= key[i]; rfbDes(where, where); for (i = 8; i < length; i += 8) { - for (j = 0; j < 8; j++) + for (j = 0; j < 8; j++) { where[i + j] ^= where[i + j - 8]; - rfbDes(where + i, where + i); + } + rfbDes(where + i, where + i); } } diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c index 82536cd..e56e778 100644 --- a/libvncclient/rfbproto.c +++ b/libvncclient/rfbproto.c @@ -416,11 +416,29 @@ rfbBool ConnectToRFBRepeater(rfbClient* client,const char *repeaterHost, int rep extern void rfbClientEncryptBytes(unsigned char* bytes, char* passwd); extern void rfbClientEncryptBytes2(unsigned char *where, const int length, unsigned char *key); +static void +ReadReason(rfbClient* client) +{ + uint32_t reasonLen; + char *reason; + + if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return; + reasonLen = rfbClientSwap32IfLE(reasonLen); + if(reasonLen > 1<<20) { + rfbClientLog("VNC connection failed, but sent reason length of %u exceeds limit of 1MB",(unsigned int)reasonLen); + return; + } + reason = malloc(reasonLen+1); + if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return; } + reason[reasonLen]=0; + rfbClientLog("VNC connection failed: %s\n",reason); + free(reason); +} + rfbBool rfbHandleAuthResult(rfbClient* client) { - uint32_t authResult=0, reasonLen=0; - char *reason=NULL; + uint32_t authResult=0; if (!ReadFromRFBServer(client, (char *)&authResult, 4)) return FALSE; @@ -435,13 +453,7 @@ rfbHandleAuthResult(rfbClient* client) if (client->major==3 && client->minor>7) { /* we have an error following */ - if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return FALSE; - reasonLen = rfbClientSwap32IfLE(reasonLen); - reason = malloc((uint64_t)reasonLen+1); - if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return FALSE; } - reason[reasonLen]=0; - rfbClientLog("VNC connection failed: %s\n",reason); - free(reason); + ReadReason(client); return FALSE; } rfbClientLog("VNC authentication failed\n"); @@ -456,21 +468,6 @@ rfbHandleAuthResult(rfbClient* client) return FALSE; } -static void -ReadReason(rfbClient* client) -{ - uint32_t reasonLen; - char *reason; - - /* we have an error following */ - if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return; - reasonLen = rfbClientSwap32IfLE(reasonLen); - reason = malloc((uint64_t)reasonLen+1); - if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return; } - reason[reasonLen]=0; - rfbClientLog("VNC connection failed: %s\n",reason); - free(reason); -} static rfbBool ReadSupportedSecurityType(rfbClient* client, uint32_t *result, rfbBool subAuth) @@ -2221,6 +2218,11 @@ HandleRFBServerMessage(rfbClient* client) msg.sct.length = rfbClientSwap32IfLE(msg.sct.length); + if (msg.sct.length > 1<<20) { + rfbClientErr("Ignoring too big cut text length sent by server: %u B > 1 MB\n", (unsigned int)msg.sct.length); + return FALSE; + } + buffer = malloc((uint64_t)msg.sct.length+1); if (!ReadFromRFBServer(client, buffer, msg.sct.length)) { diff --git a/libvncserver/tableinit24.c b/libvncserver/tableinit24.c index 39e9920..5c5823c 100644 --- a/libvncserver/tableinit24.c +++ b/libvncserver/tableinit24.c @@ -147,11 +147,12 @@ rfbInitOneRGBTable24 (uint8_t *table, int inMax, int outMax, int outShift, for (i = 0; i < nEntries; i++) { outValue = ((i * outMax + inMax / 2) / inMax) << outShift; *(uint32_t *)&table[3*i] = outValue; - if(!rfbEndianTest) + if(!rfbEndianTest) { memmove(table+3*i,table+3*i+1,3); - if (swap) { - c = table[3*i]; table[3*i] = table[3*i+2]; - table[3*i+2] = c; - } + } + if (swap) { + c = table[3*i]; table[3*i] = table[3*i+2]; + table[3*i+2] = c; + } } } diff --git a/libvncserver/websockets.c b/libvncserver/websockets.c index d91c4f2..616c81c 100644 --- a/libvncserver/websockets.c +++ b/libvncserver/websockets.c @@ -198,12 +198,15 @@ webSocketsHandshake(rfbClientPtr cl, char *scheme) if ((n < 0) && (errno == ETIMEDOUT)) { break; } - if (n == 0) + if (n == 0) { rfbLog("webSocketsHandshake: client gone\n"); - else + } + else { rfbLogPerror("webSocketsHandshake: read"); - free(response); - free(buf); + } + + free(response); + free(buf); return FALSE; } diff --git a/test/tjbench.c b/test/tjbench.c index 29aa153..87e1591 100644 --- a/test/tjbench.c +++ b/test/tjbench.c @@ -178,7 +178,8 @@ int decomptest(unsigned char *srcbuf, unsigned char **jpegbuf, int y=(int)((double)srcbuf[rindex]*0.299 + (double)srcbuf[gindex]*0.587 + (double)srcbuf[bindex]*0.114 + 0.5); - if(y>255) y=255; if(y<0) y=0; + if(y>255) y=255; + if(y<0) y=0; dstbuf[rindex]=abs(dstbuf[rindex]-y); dstbuf[gindex]=abs(dstbuf[gindex]-y); dstbuf[bindex]=abs(dstbuf[bindex]-y); @@ -226,7 +227,8 @@ void dotest(unsigned char *srcbuf, int w, int h, int subsamp, int jpegqual, for(tilew=dotile? 8:w, tileh=dotile? 8:h; ; tilew*=2, tileh*=2) { - if(tilew>w) tilew=w; if(tileh>h) tileh=h; + if(tilew>w) tilew=w; + if(tileh>h) tileh=h; ntilesw=(w+tilew-1)/tilew; ntilesh=(h+tileh-1)/tileh; if((jpegbuf=(unsigned char **)malloc(sizeof(unsigned char *) @@ -323,7 +325,7 @@ void dotest(unsigned char *srcbuf, int w, int h, int subsamp, int jpegqual, for(i=0; i<ntilesw*ntilesh; i++) { - if(jpegbuf[i]) free(jpegbuf[i]); jpegbuf[i]=NULL; + if(jpegbuf[i]) {free(jpegbuf[i]); jpegbuf[i]=NULL;} } free(jpegbuf); jpegbuf=NULL; free(jpegsize); jpegsize=NULL; @@ -337,7 +339,7 @@ void dotest(unsigned char *srcbuf, int w, int h, int subsamp, int jpegqual, { for(i=0; i<ntilesw*ntilesh; i++) { - if(jpegbuf[i]) free(jpegbuf[i]); jpegbuf[i]=NULL; + if(jpegbuf[i]) {free(jpegbuf[i]); jpegbuf[i]=NULL;} } free(jpegbuf); jpegbuf=NULL; } @@ -392,7 +394,8 @@ void dodecomptest(char *filename) for(tilew=dotile? 16:w, tileh=dotile? 16:h; ; tilew*=2, tileh*=2) { - if(tilew>w) tilew=w; if(tileh>h) tileh=h; + if(tilew>w) tilew=w; + if(tileh>h) tileh=h; ntilesw=(w+tilew-1)/tilew; ntilesh=(h+tileh-1)/tileh; if((jpegbuf=(unsigned char **)malloc(sizeof(unsigned char *) @@ -455,7 +458,7 @@ void dodecomptest(char *filename) { for(i=0; i<ntilesw*ntilesh; i++) { - if(jpegbuf[i]) free(jpegbuf[i]); jpegbuf[i]=NULL; + if(jpegbuf[i]) {free(jpegbuf[i]); jpegbuf[i]=NULL;} } free(jpegbuf); jpegbuf=NULL; } |