-
Notifications
You must be signed in to change notification settings - Fork 896
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security fixes #921
Security fixes #921
Commits on Nov 15, 2019
-
Make ZlibInStream more robust against failures
Move the checks around to avoid missing cases where we might access memory that is no longer valid. Also avoid touching the underlying stream implicitly (e.g. via the destructor) as it might also no longer be valid. A malicious server could theoretically use this for remote code execution in the client. Issue found by Pavel Cheremushkin from Kaspersky Lab
2Configuration menu - View commit details
-
Copy full SHA for d61a767 - Browse repository at this point
Copy the full SHA d61a767View commit details -
Encapsulate PixelBuffer internal details
Don't allow subclasses to just override dimensions or buffer details directly and instead force them to go via methods. This allows us to do sanity checks on the new values and catch bugs and attacks.
Configuration menu - View commit details
-
Copy full SHA for 53f913a - Browse repository at this point
Copy the full SHA 53f913aView commit details -
Restrict PixelBuffer dimensions to safe values
We do a lot of calculations based on pixel coordinates and we need to make sure they do not overflow. Restrict the maximum dimensions we support rather than try to switch over all calculations to use 64 bit integers. This prevents attackers from from injecting code by specifying a huge framebuffer size and relying on the values overflowing to access invalid areas of the heap. This primarily affects the client which gets both the screen dimensions and the pixel contents from the remote side. But the server might also be affected as a client can adjust the screen dimensions, as can applications inside the session. Issue found by Pavel Cheremushkin from Kaspersky Lab.
Configuration menu - View commit details
-
Copy full SHA for 996356b - Browse repository at this point
Copy the full SHA 996356bView commit details -
Add write protection to OffsetPixelBuffer
No one should every try to write to this buffer. Enforce that by throwing an exception if any one tries to get a writeable pointer to the data.
Configuration menu - View commit details
-
Copy full SHA for 9f61530 - Browse repository at this point
Copy the full SHA 9f61530View commit details -
Handle empty Tight gradient rects
We always assumed there would be one pixel per row so a rect with a zero width would result in us writing to unknown memory. This could theoretically be used by a malicious server to inject code in to the viewer process. Issue found by Pavel Cheremushkin from Kaspersky Lab.
Configuration menu - View commit details
-
Copy full SHA for b4ada8d - Browse repository at this point
Copy the full SHA b4ada8dView commit details -
Configuration menu - View commit details
-
Copy full SHA for 014c501 - Browse repository at this point
Copy the full SHA 014c501View commit details -
Configuration menu - View commit details
-
Copy full SHA for f1b9b86 - Browse repository at this point
Copy the full SHA f1b9b86View commit details -
Add sanity checks for PixelFormat shift values
Otherwise we might be tricked in to reading and writing things at incorrect offsets for pixels which ultimately could result in an attacker writing things to the stack or heap and executing things they shouldn't. This only affects the server as the client never uses the pixel format suggested by th server. Issue found by Pavel Cheremushkin from Kaspersky Lab.
Configuration menu - View commit details
-
Copy full SHA for cd1d650 - Browse repository at this point
Copy the full SHA cd1d650View commit details -
Configuration menu - View commit details
-
Copy full SHA for 4ff58f0 - Browse repository at this point
Copy the full SHA 4ff58f0View commit details -
Use size_t for lengths in stream objects
Provides safety against them accidentally becoming negative because of bugs in the calculations. Also does the same to CharArray and friends as they were strongly connection to the stream objects.
Configuration menu - View commit details
-
Copy full SHA for 0943c00 - Browse repository at this point
Copy the full SHA 0943c00View commit details -
Be defensive about overflows in stream objects
We use a lot of lengths given to us over the network, so be more paranoid about them causing an overflow as otherwise an attacker might trick us in to overwriting other memory. This primarily affects the client which often gets lengths from the server, but there are also some scenarios where the server might theoretically be vulnerable. Issue found by Pavel Cheremushkin from Kaspersky Lab.
Configuration menu - View commit details
-
Copy full SHA for 75e6e06 - Browse repository at this point
Copy the full SHA 75e6e06View commit details -
Configuration menu - View commit details
-
Copy full SHA for 91bdaa6 - Browse repository at this point
Copy the full SHA 91bdaa6View commit details -
Handle pixel formats with odd shift values
Our fast paths assume that each channel fits in to a separate byte. That means the shift needs to be a multiple of 8. Start actually checking this so that a client cannot trip us up and possibly cause incorrect code exection. Issue found by Pavel Cheremushkin from Kaspersky Lab.
Configuration menu - View commit details
-
Copy full SHA for 05e2849 - Browse repository at this point
Copy the full SHA 05e2849View commit details