aboutsummaryrefslogtreecommitdiff
path: root/README
diff options
context:
space:
mode:
authorGerd Hoffmann <kraxel@redhat.com>2015-08-17 19:56:53 +0200
committerGerd Hoffmann <kraxel@redhat.com>2015-08-26 17:54:33 +0200
commiteb8934b0418b3b1d125edddc4fc334a54334a49b (patch)
tree4daeb2012b1d63f9b1e0b63301f2be40d67511ae /README
parent7df9671989c1cfa693764f9ae6349324b2ada02a (diff)
vnc: fix memory corruption (CVE-2015-5225)
The _cmp_bytes variable added by commit "bea60dd ui/vnc: fix potential memory corruption issues" can become negative. Result is (possibly exploitable) memory corruption. Reason for that is it uses the stride instead of bytes per scanline to apply limits. For the server surface is is actually fine. vnc creates that itself, there is never any padding and thus scanline length always equals stride. For the guest surface scanline length and stride are typically identical too, but it doesn't has to be that way. So add and use a new variable (guest_ll) for the guest scanline length. Also rename min_stride to line_bytes to make more clear what it actually is. Finally sprinkle in an assert() to make sure we never use a negative _cmp_bytes again. Reported-by: 范祚至(库特) <zuozhi.fzz@alibaba-inc.com> Reviewed-by: P J P <ppandit@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Diffstat (limited to 'README')
0 files changed, 0 insertions, 0 deletions