diff options
author | Christian Beier <dontmind@freeshell.org> | 2018-09-29 22:28:57 +0200 |
---|---|---|
committer | Christian Beier <dontmind@freeshell.org> | 2018-09-29 22:29:06 +0200 |
commit | a83439b9fbe0f03c48eb94ed05729cb016f8b72f (patch) | |
tree | b457de79ba584556a3160b3fc5ff9b3452e5de9d | |
parent | 09f2f3fb6a5a163e453e5c2979054670c39694bc (diff) | |
download | libtdevnc-a83439b9fbe0f03c48eb94ed05729cb016f8b72f.tar.gz libtdevnc-a83439b9fbe0f03c48eb94ed05729cb016f8b72f.zip |
LibVNCClient: fix three possible heap buffer overflows
An attacker could feed `0xffffffff`, causing a `malloc(0)` for the
buffers which are subsequently written to.
Closes #247
-rw-r--r-- | libvncclient/rfbproto.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c index 8d6a4c1..ac2a983 100644 --- a/libvncclient/rfbproto.c +++ b/libvncclient/rfbproto.c @@ -433,7 +433,7 @@ rfbHandleAuthResult(rfbClient* client) /* we have an error following */ if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return FALSE; reasonLen = rfbClientSwap32IfLE(reasonLen); - reason = malloc(reasonLen+1); + reason = malloc((uint64_t)reasonLen+1); if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return FALSE; } reason[reasonLen]=0; rfbClientLog("VNC connection failed: %s\n",reason); @@ -461,7 +461,7 @@ ReadReason(rfbClient* client) /* we have an error following */ if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return; reasonLen = rfbClientSwap32IfLE(reasonLen); - reason = malloc(reasonLen+1); + reason = malloc((uint64_t)reasonLen+1); if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return; } reason[reasonLen]=0; rfbClientLog("VNC connection failed: %s\n",reason); @@ -2187,10 +2187,12 @@ HandleRFBServerMessage(rfbClient* client) msg.sct.length = rfbClientSwap32IfLE(msg.sct.length); - buffer = malloc(msg.sct.length+1); + buffer = malloc((uint64_t)msg.sct.length+1); - if (!ReadFromRFBServer(client, buffer, msg.sct.length)) + if (!ReadFromRFBServer(client, buffer, msg.sct.length)) { + free(buffer); return FALSE; + } buffer[msg.sct.length] = 0; |