summary refs log tree commit diff
path: root/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15679.patch
diff options
context:
space:
mode:
Diffstat (limited to 'pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15679.patch')
-rw-r--r--pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15679.patch19
1 files changed, 19 insertions, 0 deletions
diff --git a/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15679.patch b/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15679.patch
new file mode 100644
index 00000000000..6d7b3e89e0c
--- /dev/null
+++ b/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15679.patch
@@ -0,0 +1,19 @@
+Adapted from https://github.com/LibVNC/libvncserver/commit/c2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7
+diff --git a/vncviewer/rfbproto.c b/vncviewer/rfbproto.c
+index 04b0230..bd11b54 100644
+--- a/vncviewer/rfbproto.c
++++ b/vncviewer/rfbproto.c
+@@ -303,7 +303,12 @@ InitialiseRFBConnection(void)
+   si.format.blueMax = Swap16IfLE(si.format.blueMax);
+   si.nameLength = Swap32IfLE(si.nameLength);
+ 
+-  /* FIXME: Check arguments to malloc() calls. */
++  if (si.nameLength > 1<<20) {
++    fprintf(stderr, "Too big desktop name length sent by server: %lu B > 1 MB\n",
++            (unsigned long)si.nameLength);
++    return False;
++  }
++
+   desktopName = malloc(si.nameLength + 1);
+   if (!desktopName) {
+     fprintf(stderr, "Error allocating memory for desktop name, %lu bytes\n",
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-10 19:34:42 +0000