tigervnc/tigervnc-CVE-2014-0011.patch

diff -up tigervnc-1.3.0/common/CMakeLists.txt.CVE-2014-0011 tigervnc-1.3.0/common/CMakeLists.txt
--- tigervnc-1.3.0/common/CMakeLists.txt.CVE-2014-0011	2013-07-01 13:42:01.000000000 +0100
+++ tigervnc-1.3.0/common/CMakeLists.txt	2014-02-04 16:59:10.840037314 +0000
@@ -23,3 +23,6 @@ if(CMAKE_COMPILER_IS_GNUCXX AND (CMAKE_S
     set_target_properties(zlib PROPERTIES COMPILE_FLAGS -fPIC)
   endif()
 endif()
+
+# Turn asserts on.
+set_target_properties(rdr rfb PROPERTIES COMPILE_FLAGS -UNDEBUG)
diff -up tigervnc-1.3.0/common/rfb/zrleDecode.h.CVE-2014-0011 tigervnc-1.3.0/common/rfb/zrleDecode.h
--- tigervnc-1.3.0/common/rfb/zrleDecode.h.CVE-2014-0011	2013-07-01 13:41:59.000000000 +0100
+++ tigervnc-1.3.0/common/rfb/zrleDecode.h	2014-02-04 16:17:00.881565540 +0000
@@ -25,9 +25,10 @@
 // FILL_RECT          - fill a rectangle with a single colour
 // IMAGE_RECT         - draw a rectangle of pixel data from a buffer
 
+#include <stdio.h>
 #include <rdr/InStream.h>
 #include <rdr/ZlibInStream.h>
-#include <assert.h>
+#include <rfb/Exception.h>
 
 namespace rfb {
 
@@ -143,7 +144,10 @@ void ZRLE_DECODE (const Rect& r, rdr::In
               len += b;
             } while (b == 255);
 
-            assert(len <= end - ptr);
+	    if (end - ptr < len) {
+	      fprintf (stderr, "ZRLE decode error\n");
+	      throw Exception ("ZRLE decode error");
+	    }
 
 #ifdef FAVOUR_FILL_RECT
             int i = ptr - buf;
@@ -193,7 +197,10 @@ void ZRLE_DECODE (const Rect& r, rdr::In
                 len += b;
               } while (b == 255);
 
-              assert(len <= end - ptr);
+	      if (end - ptr < len) {
+		fprintf (stderr, "ZRLE decode error\n");
+		throw Exception ("ZRLE decode error");
+	      }
             }
 
             index &= 127;
Fixed heap-based buffer overflow (CVE-2014-0011, bug #1050928). Resolves: rhbz#1050928 (cherry picked from commit 0235d7a4993a3bbbea574ec846096ac3ab8fbf2c) Conflicts: tigervnc.spec 2014-03-19 12:28:35 +00:00			`diff -up tigervnc-1.3.0/common/CMakeLists.txt.CVE-2014-0011 tigervnc-1.3.0/common/CMakeLists.txt`
			`--- tigervnc-1.3.0/common/CMakeLists.txt.CVE-2014-0011 2013-07-01 13:42:01.000000000 +0100`
			`+++ tigervnc-1.3.0/common/CMakeLists.txt 2014-02-04 16:59:10.840037314 +0000`
			`@@ -23,3 +23,6 @@ if(CMAKE_COMPILER_IS_GNUCXX AND (CMAKE_S`
			`set_target_properties(zlib PROPERTIES COMPILE_FLAGS -fPIC)`
			`endif()`
			`endif()`
			`+`
			`+# Turn asserts on.`
			`+set_target_properties(rdr rfb PROPERTIES COMPILE_FLAGS -UNDEBUG)`
			`diff -up tigervnc-1.3.0/common/rfb/zrleDecode.h.CVE-2014-0011 tigervnc-1.3.0/common/rfb/zrleDecode.h`
			`--- tigervnc-1.3.0/common/rfb/zrleDecode.h.CVE-2014-0011 2013-07-01 13:41:59.000000000 +0100`
			`+++ tigervnc-1.3.0/common/rfb/zrleDecode.h 2014-02-04 16:17:00.881565540 +0000`
			`@@ -25,9 +25,10 @@`
			`// FILL_RECT - fill a rectangle with a single colour`
			`// IMAGE_RECT - draw a rectangle of pixel data from a buffer`

			`+#include <stdio.h>`
			`#include <rdr/InStream.h>`
			`#include <rdr/ZlibInStream.h>`
			`-#include <assert.h>`
			`+#include <rfb/Exception.h>`

			`namespace rfb {`

			`@@ -143,7 +144,10 @@ void ZRLE_DECODE (const Rect& r, rdr::In`
			`len += b;`
			`} while (b == 255);`

			`- assert(len <= end - ptr);`
			`+ if (end - ptr < len) {`
			`+ fprintf (stderr, "ZRLE decode error\n");`
			`+ throw Exception ("ZRLE decode error");`
			`+ }`

			`#ifdef FAVOUR_FILL_RECT`
			`int i = ptr - buf;`
			`@@ -193,7 +197,10 @@ void ZRLE_DECODE (const Rect& r, rdr::In`
			`len += b;`
			`} while (b == 255);`

			`- assert(len <= end - ptr);`
			`+ if (end - ptr < len) {`
			`+ fprintf (stderr, "ZRLE decode error\n");`
			`+ throw Exception ("ZRLE decode error");`
			`+ }`
			`}`

			`index &= 127;`