publicWagsHome/KasmVNC
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Handle empty Tight gradient rects

Browse Source 
We always assumed there would be one pixel per row so a rect with
a zero width would result in us writing to unknown memory.

This could theoretically be used by a malicious server to inject
code in to the viewer process.

Issue found by Pavel Cheremushkin from Kaspersky Lab.
This commit is contained in:
Pierre Ossman
2019-09-10 15:36:42 +02:00
committed by Lauri Kasanen
parent 6a3f711878
commit 1224cbdc21
1 changed files with 21 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
common/rfb/tightDecode.h
View File

@@ -56,15 +56,17 @@ TightDecoder::FilterGradient24(const rdr::U8 *inbuf,
int rectWidth = r.width(); int rectWidth = r.width();
for (y = 0; y < rectHeight; y++) { for (y = 0; y < rectHeight; y++) {
/* First pixel in a row */ for (x = 0; x < rectWidth; x++) {
for (c = 0; c < 3; c++) { /* First pixel in a row */
pix[c] = inbuf[y*rectWidth*3+c] + prevRow[c]; if (x == 0) {
thisRow[c] = pix[c]; for (c = 0; c < 3; c++) {
} pix[c] = inbuf[y*rectWidth*3+c] + prevRow[c];
pf.bufferFromRGB((rdr::U8*)&outbuf[y*stride], pix, 1); thisRow[c] = pix[c];
}
pf.bufferFromRGB((rdr::U8*)&outbuf[y*stride], pix, 1);
continue;
}
/* Remaining pixels of a row */
for (x = 1; x < rectWidth; x++) {
for (c = 0; c < 3; c++) { for (c = 0; c < 3; c++) {
est[c] = prevRow[x*3+c] + pix[c] - prevRow[(x-1)*3+c]; est[c] = prevRow[x*3+c] + pix[c] - prevRow[(x-1)*3+c];
if (est[c] > 0xff) { if (est[c] > 0xff) {
@@ -103,17 +105,20 @@ void TightDecoder::FilterGradient(const rdr::U8* inbuf,
int rectWidth = r.width(); int rectWidth = r.width();
for (y = 0; y < rectHeight; y++) { for (y = 0; y < rectHeight; y++) {
/* First pixel in a row */ for (x = 0; x < rectWidth; x++) {
pf.rgbFromBuffer(pix, &inbuf[y*rectWidth], 1); /* First pixel in a row */
for (c = 0; c < 3; c++) if (x == 0) {
pix[c] += prevRow[c]; pf.rgbFromBuffer(pix, &inbuf[y*rectWidth], 1);
for (c = 0; c < 3; c++)
pix[c] += prevRow[c];
memcpy(thisRow, pix, sizeof(pix)); memcpy(thisRow, pix, sizeof(pix));
pf.bufferFromRGB((rdr::U8*)&outbuf[y*stride], pix, 1); pf.bufferFromRGB((rdr::U8*)&outbuf[y*stride], pix, 1);
continue;
}
/* Remaining pixels of a row */
for (x = 1; x < rectWidth; x++) {
for (c = 0; c < 3; c++) { for (c = 0; c < 3; c++) {
est[c] = prevRow[x*3+c] + pix[c] - prevRow[(x-1)*3+c]; est[c] = prevRow[x*3+c] + pix[c] - prevRow[(x-1)*3+c];
if (est[c] > 255) { if (est[c] > 255) {