commit c1244c096dd9d314465a985e06d97450c8c871a2
author Pierre Ossman <ossman@cendio.se> Wed Mar 19 12:16:48 2014 +0000
committer Pierre Ossman <ossman@cendio.se> Wed Mar 19 12:16:48 2014 +0000
tree 12dfc8e5b0013c09be0a5696fa5d9e1d66186de1
parent 7ea9b2c602893ac1b7e843bcf2f64e1677f98d1d

The ZRLE decoder relied on an assert() for boundary checks. A default
Release build however will remove all asserts making it possible to
overrun this buffer. This could be exploited by a malicious server.
This issue has been assigned CVE-2014-0011. Patch by Tim Waugh for
Red Hat.


git-svn-id: svn://svn.code.sf.net/p/tigervnc/code/trunk@5167 3789f03b-4d11-0410-bbf8-ca57d06f2519

common/rfb/zrleDecode.h

diff --git a/common/rfb/zrleDecode.h b/common/rfb/zrleDecode.h
index 15d2790..8f6f792 100644
--- a/common/rfb/zrleDecode.h
+++ b/common/rfb/zrleDecode.h
@@ -25,9 +25,10 @@
 // FILL_RECT          - fill a rectangle with a single colour
 // IMAGE_RECT         - draw a rectangle of pixel data from a buffer
 
+#include <stdio.h>
 #include <rdr/InStream.h>
 #include <rdr/ZlibInStream.h>
-#include <assert.h>
+#include <rfb/Exception.h>
 
 namespace rfb {
 
@@ -143,7 +144,10 @@
               len += b;
             } while (b == 255);
 
-            assert(len <= end - ptr);
+            if (end - ptr < len) {
+              fprintf (stderr, "ZRLE decode error\n");
+              throw Exception ("ZRLE decode error");
+            }
 
 #ifdef FAVOUR_FILL_RECT
             int i = ptr - buf;
@@ -193,7 +197,10 @@
                 len += b;
               } while (b == 255);
 
-              assert(len <= end - ptr);
+              if (end - ptr < len) {
+                fprintf (stderr, "ZRLE decode error\n");
+                throw Exception ("ZRLE decode error");
+              }
             }
 
             index &= 127;