6165 – TigerVNC hextileDecode.h buffer overflow

Bug 6165 - TigerVNC hextileDecode.h buffer overflow

Summary: TigerVNC hextileDecode.h buffer overflow

Status:	CLOSED FIXED

Alias:	None

Product:	ThinLinc
Classification:	Unclassified
Component:	VNC (show other bugs)
Version:	trunk
Hardware:	PC Unknown

Importance:	P2 Normal
Target Milestone:	4.8.0
Assignee:	Peter Åstrand

URL:
Keywords:	derfian_tester, relnotes

Depends on:	6153
Blocks:
	Show dependency tree / graph

Reported:	2017-02-08 11:01 CET by Peter Åstrand
Modified:	2017-03-27 14:41 CEST (History)
CC List:	1 user (show)

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Peter Åstrand cendio

2017-02-08 11:01:02 CET

This bug corresponds to the upstream Issue https://github.com/TigerVNC/tigervnc/pull/378:

"The hextileDecodexx functions do not properly check for out-of-bounds pixel buffer writes,
which allows a malicious server to overwrite parts of the stack."

Comment 3 Karl Mikaelsson cendio

2017-02-10 16:30:49 CET

I haven't been able to reproduce any original problem (4.7.0 and nightly clients behave the same). I can confirm that the code referenced in the pull request is present in our source code repositories.

Note You need to log in before you can comment on or make changes to this bug.