Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix buffer overflow in ModifiablePixelBuffer::fillRect. #399

Merged
merged 1 commit into from Jan 18, 2017

Conversation

michalsrb
Copy link
Contributor

LibVNC had security bug and the reproducer can trigger similar kind of security bug in vncviewer as well:
LibVNC/libvncserver#137
(Using the send_copyrect_crash function, which has bit misleading name because the issue is in RRE and filling rectangles, not copying.)

Malicious VNC server can send RRE message with subrectangle which is out of the framebuffer rectangle. Vncviewer then fills this rectangle and writes into random memory.

I wasn't sure at what level should the test whether the subrectangle is inside framebuffer be. I've added it to PixelBuffer::fillRect inspired by the checks inside PixelBuffer::copyRect.

It can be triggered by RRE message with subrectangle out of framebuffer
boundaries. It may prevent the same kind of issue caused by evil message
from another encoding too.
@CendioOssman
Copy link
Member

A good start. We should probably add more checks at other layers as well though. If nothing else to get better error messages.

And I don't see why we don't just completely fail things at this point, as these are invalid requests. I'll do some follow up commits.

Thanks for the report and patch.

@CendioOssman CendioOssman merged commit 18c0201 into TigerVNC:master Jan 18, 2017
@carnil
Copy link

carnil commented Jan 25, 2017

This has been assigned CVE-2017-5581

@michalsrb michalsrb deleted the fixrrevulnerability branch March 29, 2017 13:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants