diff options
Diffstat (limited to 'nixpkgs/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15679.patch')
-rw-r--r-- | nixpkgs/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15679.patch | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15679.patch b/nixpkgs/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15679.patch new file mode 100644 index 000000000000..6d7b3e89e0c4 --- /dev/null +++ b/nixpkgs/pkgs/tools/admin/tightvnc/1.3.10-CVE-2019-15679.patch @@ -0,0 +1,19 @@ +Adapted from https://github.com/LibVNC/libvncserver/commit/c2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7 +diff --git a/vncviewer/rfbproto.c b/vncviewer/rfbproto.c +index 04b0230..bd11b54 100644 +--- a/vncviewer/rfbproto.c ++++ b/vncviewer/rfbproto.c +@@ -303,7 +303,12 @@ InitialiseRFBConnection(void) + si.format.blueMax = Swap16IfLE(si.format.blueMax); + si.nameLength = Swap32IfLE(si.nameLength); + +- /* FIXME: Check arguments to malloc() calls. */ ++ if (si.nameLength > 1<<20) { ++ fprintf(stderr, "Too big desktop name length sent by server: %lu B > 1 MB\n", ++ (unsigned long)si.nameLength); ++ return False; ++ } ++ + desktopName = malloc(si.nameLength + 1); + if (!desktopName) { + fprintf(stderr, "Error allocating memory for desktop name, %lu bytes\n", |