summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChristian Beier <dontmind@freeshell.org>2018-09-29 22:28:57 +0200
committerChristian Beier <dontmind@freeshell.org>2018-09-29 22:29:06 +0200
commita83439b9fbe0f03c48eb94ed05729cb016f8b72f (patch)
treeb457de79ba584556a3160b3fc5ff9b3452e5de9d
parent09f2f3fb6a5a163e453e5c2979054670c39694bc (diff)
downloadlibtdevnc-a83439b9fbe0f03c48eb94ed05729cb016f8b72f.tar.gz
libtdevnc-a83439b9fbe0f03c48eb94ed05729cb016f8b72f.zip
LibVNCClient: fix three possible heap buffer overflows
An attacker could feed `0xffffffff`, causing a `malloc(0)` for the buffers which are subsequently written to. Closes #247
-rw-r--r--libvncclient/rfbproto.c10
1 files changed, 6 insertions, 4 deletions
diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
index 8d6a4c1..ac2a983 100644
--- a/libvncclient/rfbproto.c
+++ b/libvncclient/rfbproto.c
@@ -433,7 +433,7 @@ rfbHandleAuthResult(rfbClient* client)
/* we have an error following */
if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return FALSE;
reasonLen = rfbClientSwap32IfLE(reasonLen);
- reason = malloc(reasonLen+1);
+ reason = malloc((uint64_t)reasonLen+1);
if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return FALSE; }
reason[reasonLen]=0;
rfbClientLog("VNC connection failed: %s\n",reason);
@@ -461,7 +461,7 @@ ReadReason(rfbClient* client)
/* we have an error following */
if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return;
reasonLen = rfbClientSwap32IfLE(reasonLen);
- reason = malloc(reasonLen+1);
+ reason = malloc((uint64_t)reasonLen+1);
if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return; }
reason[reasonLen]=0;
rfbClientLog("VNC connection failed: %s\n",reason);
@@ -2187,10 +2187,12 @@ HandleRFBServerMessage(rfbClient* client)
msg.sct.length = rfbClientSwap32IfLE(msg.sct.length);
- buffer = malloc(msg.sct.length+1);
+ buffer = malloc((uint64_t)msg.sct.length+1);
- if (!ReadFromRFBServer(client, buffer, msg.sct.length))
+ if (!ReadFromRFBServer(client, buffer, msg.sct.length)) {
+ free(buffer);
return FALSE;
+ }
buffer[msg.sct.length] = 0;