[Qemu-devel] [PATCH] vnc: sanitize bits_per

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PATCH] vnc: sanitize bits_per_pixel from the client
@ 2014-10-27 11:41 Petr Matousek
  2014-10-27 11:53 ` Gerd Hoffmann
  0 siblings, 1 reply; 2+ messages in thread
From: Petr Matousek @ 2014-10-27 11:41 UTC (permalink / raw)
  To: qemu-devel; +Cc: Gerd Hoffmann, Anthony Liguori, qemu-stable

bits_per_pixel that are less than 8 could result in accessing
non-initialized buffers later in the code due to the expectation
that bytes_per_pixel value that is used to initialize these buffers is
never zero.

To fix this check that bits_per_pixel from the client is one of the
values that the rfb protocol specification allows.

This is CVE-2014-7815.

Signed-off-by: Petr Matousek <pmatouse@redhat.com>
---
 ui/vnc.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/ui/vnc.c b/ui/vnc.c
index 0fe6eff..6c8fb1a 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -2026,6 +2026,17 @@ static void set_pixel_format(VncState *vs,
         return;
     }
 
+    switch(bits_per_pixel) {
+    case 8:
+    case 16:
+    case 32:
+        break;
+    default:
+        vnc_client_error(vs);
+        return;
+        break;
+    }
+
     vs->client_pf.rmax = red_max;
     vs->client_pf.rbits = hweight_long(red_max);
     vs->client_pf.rshift = red_shift;
-- 
1.9.3

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [Qemu-devel] [PATCH] vnc: sanitize bits_per_pixel from the client
  2014-10-27 11:41 [Qemu-devel] [PATCH] vnc: sanitize bits_per_pixel from the client Petr Matousek
@ 2014-10-27 11:53 ` Gerd Hoffmann
  0 siblings, 0 replies; 2+ messages in thread
From: Gerd Hoffmann @ 2014-10-27 11:53 UTC (permalink / raw)
  To: Petr Matousek; +Cc: qemu-devel, Anthony Liguori, qemu-stable

On Mo, 2014-10-27 at 12:41 +0100, Petr Matousek wrote:
> bits_per_pixel that are less than 8 could result in accessing
> non-initialized buffers later in the code due to the expectation
> that bytes_per_pixel value that is used to initialize these buffers is
> never zero.
> 
> To fix this check that bits_per_pixel from the client is one of the
> values that the rfb protocol specification allows.
> 
> This is CVE-2014-7815.
> 
> Signed-off-by: Petr Matousek <pmatouse@redhat.com>

applied minor codestyle fix & added to vnc patch queue.

thanks,
  Gerd

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2014-10-27 11:58 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-10-27 11:41 [Qemu-devel] [PATCH] vnc: sanitize bits_per_pixel from the client Petr Matousek
2014-10-27 11:53 ` Gerd Hoffmann

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).