1 |
vapier 14/10/31 00:17:46 |
2 |
|
3 |
Added: qemu-2.1.2-vnc-sanitize-bits.patch |
4 |
Log: |
5 |
Add fix from upstream for vnc arg sanitizing #527088 by Agostino Sarubbo. |
6 |
|
7 |
(Portage version: 2.2.14/cvs/Linux x86_64, signed Manifest commit with key D2E96200) |
8 |
|
9 |
Revision Changes Path |
10 |
1.1 app-emulation/qemu/files/qemu-2.1.2-vnc-sanitize-bits.patch |
11 |
|
12 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.1.2-vnc-sanitize-bits.patch?rev=1.1&view=markup |
13 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.1.2-vnc-sanitize-bits.patch?rev=1.1&content-type=text/plain |
14 |
|
15 |
Index: qemu-2.1.2-vnc-sanitize-bits.patch |
16 |
=================================================================== |
17 |
https://bugs.gentoo.org/527088 |
18 |
|
19 |
From e6908bfe8e07f2b452e78e677da1b45b1c0f6829 Mon Sep 17 00:00:00 2001 |
20 |
From: Petr Matousek <pmatouse@××××××.com> |
21 |
Date: Mon, 27 Oct 2014 12:41:44 +0100 |
22 |
Subject: [PATCH] vnc: sanitize bits_per_pixel from the client |
23 |
|
24 |
bits_per_pixel that are less than 8 could result in accessing |
25 |
non-initialized buffers later in the code due to the expectation |
26 |
that bytes_per_pixel value that is used to initialize these buffers is |
27 |
never zero. |
28 |
|
29 |
To fix this check that bits_per_pixel from the client is one of the |
30 |
values that the rfb protocol specification allows. |
31 |
|
32 |
This is CVE-2014-7815. |
33 |
|
34 |
Signed-off-by: Petr Matousek <pmatouse@××××××.com> |
35 |
|
36 |
[ kraxel: apply codestyle fix ] |
37 |
|
38 |
Signed-off-by: Gerd Hoffmann <kraxel@××××××.com> |
39 |
--- |
40 |
ui/vnc.c | 10 ++++++++++ |
41 |
1 file changed, 10 insertions(+) |
42 |
|
43 |
diff --git a/ui/vnc.c b/ui/vnc.c |
44 |
index 0fe6eff..8bca597 100644 |
45 |
--- a/ui/vnc.c |
46 |
+++ b/ui/vnc.c |
47 |
@@ -2026,6 +2026,16 @@ static void set_pixel_format(VncState *vs, |
48 |
return; |
49 |
} |
50 |
|
51 |
+ switch (bits_per_pixel) { |
52 |
+ case 8: |
53 |
+ case 16: |
54 |
+ case 32: |
55 |
+ break; |
56 |
+ default: |
57 |
+ vnc_client_error(vs); |
58 |
+ return; |
59 |
+ } |
60 |
+ |
61 |
vs->client_pf.rmax = red_max; |
62 |
vs->client_pf.rbits = hweight_long(red_max); |
63 |
vs->client_pf.rshift = red_shift; |
64 |
-- |
65 |
2.1.2 |