Avoid invalid read when ZRLE connection closed (upstream bug #133).

Resolves: rhbz#1039926
2013-12-12 17:31:18 +00:00 · 2013-12-12 17:31:18 +00:00 · 849f0627d2
commit 849f0627d2
parent 475c2dd0e7
2 changed files with 77 additions and 1 deletions
--- a/tigervnc-zrle-crash.patch
+++ b/tigervnc-zrle-crash.patch
@ -0,0 +1,69 @@
+diff -up tigervnc-1.3.0/common/rfb/ZRLEEncoder.cxx.zrle-crash tigervnc-1.3.0/common/rfb/ZRLEEncoder.cxx
+--- tigervnc-1.3.0/common/rfb/ZRLEEncoder.cxx.zrle-crash	2013-07-01 13:41:59.000000000 +0100
+++ tigervnc-1.3.0/common/rfb/ZRLEEncoder.cxx	2013-12-12 17:30:48.510007365 +0000
+@@ -55,16 +55,19 @@ Encoder* ZRLEEncoder::create(SMsgWriter*
+ }
+ 
+ ZRLEEncoder::ZRLEEncoder(SMsgWriter* writer_)
+-  : writer(writer_), zos(0,0,zlibLevel)
+  : writer(writer_)
+ {
+   if (sharedMos)
+     mos = sharedMos;
+   else
+     mos = new rdr::MemOutStream(129*1024);
+
+  zos = new rdr::ZlibOutStream(0, 0, zlibLevel);
+ }
+ 
+ ZRLEEncoder::~ZRLEEncoder()
+ {
+  delete zos;
+   if (!sharedMos)
+     delete mos;
+ }
+@@ -78,10 +81,10 @@ bool ZRLEEncoder::writeRect(const Rect&
+ 
+   switch (writer->bpp()) {
+   case 8:
+-    wroteAll = zrleEncode8(r, mos, &zos, imageBuf, maxLen, actual, ig);
+    wroteAll = zrleEncode8(r, mos, zos, imageBuf, maxLen, actual, ig);
+     break;
+   case 16:
+-    wroteAll = zrleEncode16(r, mos, &zos, imageBuf, maxLen, actual, ig);
+    wroteAll = zrleEncode16(r, mos, zos, imageBuf, maxLen, actual, ig);
+     break;
+   case 32:
+     {
+@@ -94,16 +97,16 @@ bool ZRLEEncoder::writeRect(const Rect&
+       if ((fitsInLS3Bytes && pf.isLittleEndian()) ||
+           (fitsInMS3Bytes && pf.isBigEndian()))
+       {
+-        wroteAll = zrleEncode24A(r, mos, &zos, imageBuf, maxLen, actual, ig);
+        wroteAll = zrleEncode24A(r, mos, zos, imageBuf, maxLen, actual, ig);
+       }
+       else if ((fitsInLS3Bytes && pf.isBigEndian()) ||
+                (fitsInMS3Bytes && pf.isLittleEndian()))
+       {
+-        wroteAll = zrleEncode24B(r, mos, &zos, imageBuf, maxLen, actual, ig);
+        wroteAll = zrleEncode24B(r, mos, zos, imageBuf, maxLen, actual, ig);
+       }
+       else
+       {
+-        wroteAll = zrleEncode32(r, mos, &zos, imageBuf, maxLen, actual, ig);
+        wroteAll = zrleEncode32(r, mos, zos, imageBuf, maxLen, actual, ig);
+       }
+       break;
+     }
+diff -up tigervnc-1.3.0/common/rfb/ZRLEEncoder.h.zrle-crash tigervnc-1.3.0/common/rfb/ZRLEEncoder.h
+--- tigervnc-1.3.0/common/rfb/ZRLEEncoder.h.zrle-crash	2013-07-01 13:42:01.000000000 +0100
+++ tigervnc-1.3.0/common/rfb/ZRLEEncoder.h	2013-12-12 17:30:48.510007365 +0000
+@@ -45,7 +45,7 @@ namespace rfb {
+   private:
+     ZRLEEncoder(SMsgWriter* writer);
+     SMsgWriter* writer;
+-    rdr::ZlibOutStream zos;
+    rdr::ZlibOutStream* zos;
+     rdr::MemOutStream* mos;
+     static rdr::MemOutStream* sharedMos;
+     static int maxLen;
--- a/tigervnc.spec
+++ b/tigervnc.spec
@ -1,6 +1,6 @@
 Name:		tigervnc
 Version:	1.3.0
-Release:	9%{?dist}
+Release:	10%{?dist}
 Summary:	A TigerVNC remote display system

 Group:		User Interface/Desktops
@ -48,6 +48,7 @@ Patch8:		tigervnc-getmaster.patch
 Patch9:		tigervnc-shebang.patch
 Patch10:	tigervnc-1.3.0-xserver-1.15.patch
 Patch11:	tigervnc-format-security.patch
+Patch12:	tigervnc-zrle-crash.patch

 %description
 Virtual Network Computing (VNC) is a remote display system which
@ -175,6 +176,9 @@ popd
 # Fixed build failure with -Werror=format-security (bug #1037358).
 %patch11 -p1 -b .format-security

+# Avoid invalid read when ZRLE connection closed (upstream bug #133).
+%patch12 -p1 -b .zrle-crash
+
 %build
 %ifarch sparcv9 sparc64 s390 s390x
 export CFLAGS="$RPM_OPT_FLAGS -fPIC"
@ -347,6 +351,9 @@ fi
 %{_datadir}/icons/hicolor/*/apps/*

 %changelog
+* Thu Dec 12 2013 Tim Waugh <twaugh@redhat.com> 1.3.0-10
+- Avoid invalid read when ZRLE connection closed (upstream bug #133).
+
 * Tue Dec  3 2013 Tim Waugh <twaugh@redhat.com> 1.3.0-9
 - Fixed build failure with -Werror=format-security (bug #1037358).