From 1d5aaf54f89803ff49502f01ec0c0ad51a832e38 Mon Sep 17 00:00:00 2001 From: Pierre Ossman Date: Tue, 10 Sep 2019 16:07:50 +0200 Subject: [PATCH] Add sanity checks for PixelFormat shift values Otherwise we might be tricked in to reading and writing things at incorrect offsets for pixels which ultimately could result in an attacker writing things to the stack or heap and executing things they shouldn't. This only affects the server as the client never uses the pixel format suggested by th server. Issue found by Pavel Cheremushkin from Kaspersky Lab. --- common/rfb/PixelFormat.cxx | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/common/rfb/PixelFormat.cxx b/common/rfb/PixelFormat.cxx index 552491d..52e267a 100644 --- a/common/rfb/PixelFormat.cxx +++ b/common/rfb/PixelFormat.cxx @@ -681,6 +681,13 @@ bool PixelFormat::isSane(void) if (totalBits > depth) return false; + if ((bits(redMax) + redShift) > bpp) + return false; + if ((bits(greenMax) + greenShift) > bpp) + return false; + if ((bits(blueMax) + blueShift) > bpp) + return false; + if (((redMax << redShift) & (greenMax << greenShift)) != 0) return false; if (((redMax << redShift) & (blueMax << blueShift)) != 0)