New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix buffer overflow in ModifiablePixelBuffer::fillRect. #399

Merged
merged 1 commit into from Jan 18, 2017

Conversation

Projects
None yet
3 participants
@michalsrb
Contributor

michalsrb commented Jan 17, 2017

LibVNC had security bug and the reproducer can trigger similar kind of security bug in vncviewer as well:
LibVNC/libvncserver#137
(Using the send_copyrect_crash function, which has bit misleading name because the issue is in RRE and filling rectangles, not copying.)

Malicious VNC server can send RRE message with subrectangle which is out of the framebuffer rectangle. Vncviewer then fills this rectangle and writes into random memory.

I wasn't sure at what level should the test whether the subrectangle is inside framebuffer be. I've added it to PixelBuffer::fillRect inspired by the checks inside PixelBuffer::copyRect.

Fix buffer overflow in ModifiablePixelBuffer::fillRect.
It can be triggered by RRE message with subrectangle out of framebuffer
boundaries. It may prevent the same kind of issue caused by evil message
from another encoding too.
@CendioOssman

This comment has been minimized.

Show comment
Hide comment
@CendioOssman

CendioOssman Jan 18, 2017

Member

A good start. We should probably add more checks at other layers as well though. If nothing else to get better error messages.

And I don't see why we don't just completely fail things at this point, as these are invalid requests. I'll do some follow up commits.

Thanks for the report and patch.

Member

CendioOssman commented Jan 18, 2017

A good start. We should probably add more checks at other layers as well though. If nothing else to get better error messages.

And I don't see why we don't just completely fail things at this point, as these are invalid requests. I'll do some follow up commits.

Thanks for the report and patch.

@CendioOssman CendioOssman merged commit 18c0201 into TigerVNC:master Jan 18, 2017

@carnil

This comment has been minimized.

Show comment
Hide comment
@carnil

carnil Jan 25, 2017

This has been assigned CVE-2017-5581

carnil commented Jan 25, 2017

This has been assigned CVE-2017-5581

@michalsrb michalsrb deleted the michalsrb:fixrrevulnerability branch Mar 29, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment