* [gentoo-commits] gentoo-x86 commit in net-misc/tigervnc/files: 1.3.1-CVE-2014-8240.patch
@ 2015-02-12 12:03 Raul Porcel (armin76)
0 siblings, 0 replies; only message in thread
From: Raul Porcel (armin76) @ 2015-02-12 12:03 UTC (permalink / raw
To: gentoo-commits
armin76 15/02/12 12:03:26
Added: 1.3.1-CVE-2014-8240.patch
Log:
Add revision bump with security patch for bug #534714
(Portage version: 2.2.14/cvs/Linux ia64, signed Manifest commit with key 0xF6AD3240)
Revision Changes Path
1.1 net-misc/tigervnc/files/1.3.1-CVE-2014-8240.patch
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-misc/tigervnc/files/1.3.1-CVE-2014-8240.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-misc/tigervnc/files/1.3.1-CVE-2014-8240.patch?rev=1.1&content-type=text/plain
Index: 1.3.1-CVE-2014-8240.patch
===================================================================
Patch-Mainline: To be upstreamed
References: bnc#900896 CVE-2014-8240
Signed-off-by: Michal Srb <msrb@suse.com>
Index: tigervnc-1.4.1/unix/x0vncserver/Image.cxx
===================================================================
--- tigervnc-1.4.1.orig/unix/x0vncserver/Image.cxx
+++ tigervnc-1.4.1/unix/x0vncserver/Image.cxx
@@ -80,6 +80,14 @@ void Image::Init(int width, int height)
xim = XCreateImage(dpy, vis, DefaultDepth(dpy, DefaultScreen(dpy)),
ZPixmap, 0, 0, width, height, BitmapPad(dpy), 0);
+ if (xim->bytes_per_line <= 0 ||
+ xim->height <= 0 ||
+ xim->height >= INT_MAX / xim->bytes_per_line) {
+ vlog.error("Invalid display size");
+ XDestroyImage(xim);
+ exit(1);
+ }
+
xim->data = (char *)malloc(xim->bytes_per_line * xim->height);
if (xim->data == NULL) {
vlog.error("malloc() failed");
@@ -254,6 +262,17 @@ void ShmImage::Init(int width, int heigh
delete shminfo;
shminfo = NULL;
return;
+ }
+
+ if (xim->bytes_per_line <= 0 ||
+ xim->height <= 0 ||
+ xim->height >= INT_MAX / xim->bytes_per_line) {
+ vlog.error("Invalid display size");
+ XDestroyImage(xim);
+ xim = NULL;
+ delete shminfo;
+ shminfo = NULL;
+ return;
}
shminfo->shmid = shmget(IPC_PRIVATE,
Index: tigervnc-1.4.1/vncviewer/X11PixelBuffer.cxx
===================================================================
--- tigervnc-1.4.1.orig/vncviewer/X11PixelBuffer.cxx
+++ tigervnc-1.4.1/vncviewer/X11PixelBuffer.cxx
@@ -106,6 +106,15 @@ X11PixelBuffer::X11PixelBuffer(int width
if (!xim)
throw rfb::Exception(_("Could not create framebuffer image"));
+ if (xim->bytes_per_line <= 0 ||
+ xim->height <= 0 ||
+ xim->height >= INT_MAX / xim->bytes_per_line) {
+ if (xim)
+ XDestroyImage(xim);
+ xim = NULL;
+ throw rfb::Exception("Invalid display size");
+ }
+
xim->data = (char*)malloc(xim->bytes_per_line * xim->height);
if (!xim->data)
throw rfb::Exception(_("Not enough memory for framebuffer"));
@@ -172,6 +181,16 @@ int X11PixelBuffer::setupShm()
if (!xim)
goto free_shminfo;
+ if (xim->bytes_per_line <= 0 ||
+ xim->height <= 0 ||
+ xim->height >= INT_MAX / xim->bytes_per_line) {
+ XDestroyImage(xim);
+ xim = NULL;
+ delete shminfo;
+ shminfo = NULL;
+ throw rfb::Exception("Invalid display size");
+ }
+
shminfo->shmid = shmget(IPC_PRIVATE,
xim->bytes_per_line * xim->height,
IPC_CREAT|0777);
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2015-02-12 12:03 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-02-12 12:03 [gentoo-commits] gentoo-x86 commit in net-misc/tigervnc/files: 1.3.1-CVE-2014-8240.patch Raul Porcel (armin76)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox