pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15678.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

Adapted from https://github.com/LibVNC/libvncserver/commit/c5ba3fee85a7ecbbca1df5ffd46d32b92757bc2a
diff --git a/vncviewer/rfbproto.c b/vncviewer/rfbproto.c
index 04b0230..47a6863 100644
--- a/vncviewer/rfbproto.c
+++ b/vncviewer/rfbproto.c
@@ -1217,6 +1217,12 @@ HandleRFBServerMessage()
     if (serverCutText)
       free(serverCutText);
 
+    if (msg.sct.length > 1<<20) {
+      fprintf(stderr,"Ignoring too big cut text length sent by server: %u B > 1 MB\n",
+              (unsigned int)msg.sct.length);
+      return False;
+    }
+
     serverCutText = malloc(msg.sct.length+1);
 
     if (!ReadFromRFBServer(serverCutText, msg.sct.length))