From e080f64d50da9b72769067f69f73a1ac7536f8d8 Mon Sep 17 00:00:00 2001
From: Packit Service <user-cont-team+packit-service@redhat.com>
Date: Nov 25 2020 06:14:52 +0000
Subject: Apply patch libvncserver-0.9.11-Validate-client-cut-text-length.patch


patch_name: libvncserver-0.9.11-Validate-client-cut-text-length.patch
present_in_specfile: true
location_in_specfile: 9

---

diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
index 421d8c7..4d505e6 100644
--- a/libvncserver/rfbserver.c
+++ b/libvncserver/rfbserver.c
@@ -85,6 +85,12 @@
 #include <errno.h>
 /* strftime() */
 #include <time.h>
+/* SIZE_MAX */
+#include <stdint.h>
+/* PRIu32 */
+#include <inttypes.h>
+/* INT_MAX */
+#include <limits.h>
 
 #ifdef LIBVNCSERVER_WITH_WEBSOCKETS
 #include "rfbssl.h"
@@ -2582,7 +2588,21 @@ rfbProcessClientNormalMessage(rfbClientPtr cl)
 
 	msg.cct.length = Swap32IfLE(msg.cct.length);
 
-	str = (char *)malloc(msg.cct.length);
+	/* uint32_t input is passed to malloc()'s size_t argument,
+	 * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int
+	 * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s int
+	 * argument. Here we check that the value fits into all of them to
+	 * prevent from misinterpretation and thus from accessing uninitialized
+	 * memory. CVE-2018-7225 */
+	if (msg.cct.length > SIZE_MAX || msg.cct.length > INT_MAX - sz_rfbClientCutTextMsg) {
+	    rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n",
+		    msg.cct.length);
+	    rfbCloseClient(cl);
+	    return;
+	}
+
+	/* Allow zero-length client cut text. */
+	str = (char *)malloc(msg.cct.length ? msg.cct.length : 1);
 	if (str == NULL) {
 		rfbLogPerror("rfbProcessClientNormalMessage: not enough memory");
 		rfbCloseClient(cl);