Bug 7010 - Xvnc crashes in ProcPutImage
Summary: Xvnc crashes in ProcPutImage
Status: CLOSED FIXED
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: VNC (show other bugs)
Version: 1.3.1
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.9.0
Assignee: Pierre Ossman
URL:
Keywords: relnotes
Depends on:
Blocks:
 
Reported: 2017-07-12 15:08 CEST by Pierre Ossman
Modified: 2017-07-13 10:24 CEST (History)
1 user (show)

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Pierre Ossman cendio 2017-07-12 15:08:34 CEST 
We got a report with this crash under 4.8.0:

> (EE) 
> (EE) Backtrace:
> (EE) 0: /opt/thinlinc/libexec/Xvnc (xorg_backtrace+0x3f) [0x5d7fff]
> (EE) 1: /opt/thinlinc/libexec/Xvnc (0x400000+0x1db489) [0x5db489]
> (EE) 2: /lib/x86_64-linux-gnu/libpthread.so.0 (0x7f5a64388000+0x110c0) [0x7f5a643990c0]
> (EE) 3: /opt/thinlinc/libexec/Xvnc (ProcPutImage+0xd5) [0x5864b5]
> (EE) 4: /opt/thinlinc/libexec/Xvnc (Dispatch+0x28f) [0x5894df]
> (EE) 5: /opt/thinlinc/libexec/Xvnc (main+0x3ae) [0x49d75e]
> (EE) 6: /lib/x86_64-linux-gnu/libc.so.6 (__libc_start_main+0xf1) [0x7f5a640092b1]
> (EE) 7: /opt/thinlinc/libexec/Xvnc (0x400000+0x9f143) [0x49f143]
> (EE) 
> (EE) Floating point exception at address 0x5864b5

Apparently happens with KDE without compositing on Debian 9.
Comment 2 Pierre Ossman cendio 2017-07-12 15:10:52 CEST 
Following the address gives this line in dispatch.c:

>     if (lengthProto >= (INT32_MAX / stuff->height))

Which seems to have been fixed upstream back in 2015:

https://cgit.freedesktop.org/xorg/xserver/commit/?id=dc777c346d5d452a53b13b917c45f6a1bad2f20b

It also got a CVE:

CVE-2015-3418
Comment 5 Pierre Ossman cendio 2017-07-13 10:24:35 CEST 
We don't have a way to reproduce this, but the customer verified that the fix works.
Note You need to log in before you can comment on or make changes to this bug.