nixpkgs/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15679.patch

20 lines
775 B
Diff
Raw Normal View History

Adapted from https://github.com/LibVNC/libvncserver/commit/c2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7
diff --git a/vncviewer/rfbproto.c b/vncviewer/rfbproto.c
index 04b0230..bd11b54 100644
--- a/vncviewer/rfbproto.c
+++ b/vncviewer/rfbproto.c
@@ -303,7 +303,12 @@ InitialiseRFBConnection(void)
si.format.blueMax = Swap16IfLE(si.format.blueMax);
si.nameLength = Swap32IfLE(si.nameLength);
- /* FIXME: Check arguments to malloc() calls. */
+ if (si.nameLength > 1<<20) {
+ fprintf(stderr, "Too big desktop name length sent by server: %lu B > 1 MB\n",
+ (unsigned long)si.nameLength);
+ return False;
+ }
+
desktopName = malloc(si.nameLength + 1);
if (!desktopName) {
fprintf(stderr, "Error allocating memory for desktop name, %lu bytes\n",