[tigervnc] Avoid invalid read when ZRLE connection closed (upstream bug #133).

Thu Dec 12 17:40:07 UTC 2013

commit 849f0627d20a5aec518f9b328bc3add127a5cff4
Author: Tim Waugh <twaugh at redhat.com>
Date:   Thu Dec 12 17:31:18 2013 +0000

    Avoid invalid read when ZRLE connection closed (upstream bug #133).
    
    Resolves: rhbz#1039926

 tigervnc-zrle-crash.patch |   69 +++++++++++++++++++++++++++++++++++++++++++++
 tigervnc.spec             |    9 +++++-
 2 files changed, 77 insertions(+), 1 deletions(-)
---

diff --git a/tigervnc-zrle-crash.patch b/tigervnc-zrle-crash.patch
new file mode 100644
index 0000000..74545d7
--- /dev/null
+++ b/tigervnc-zrle-crash.patch
@@ -0,0 +1,69 @@
+diff -up tigervnc-1.3.0/common/rfb/ZRLEEncoder.cxx.zrle-crash tigervnc-1.3.0/common/rfb/ZRLEEncoder.cxx
+--- tigervnc-1.3.0/common/rfb/ZRLEEncoder.cxx.zrle-crash	2013-07-01 13:41:59.000000000 +0100
++++ tigervnc-1.3.0/common/rfb/ZRLEEncoder.cxx	2013-12-12 17:30:48.510007365 +0000
+@@ -55,16 +55,19 @@ Encoder* ZRLEEncoder::create(SMsgWriter*
+ }
+ 
+ ZRLEEncoder::ZRLEEncoder(SMsgWriter* writer_)
+-  : writer(writer_), zos(0,0,zlibLevel)
++  : writer(writer_)
+ {
+   if (sharedMos)
+     mos = sharedMos;
+   else
+     mos = new rdr::MemOutStream(129*1024);
++
++  zos = new rdr::ZlibOutStream(0, 0, zlibLevel);
+ }
+ 
+ ZRLEEncoder::~ZRLEEncoder()
+ {
++  delete zos;
+   if (!sharedMos)
+     delete mos;
+ }
+@@ -78,10 +81,10 @@ bool ZRLEEncoder::writeRect(const Rect&
+ 
+   switch (writer->bpp()) {
+   case 8:
+-    wroteAll = zrleEncode8(r, mos, &zos, imageBuf, maxLen, actual, ig);
++    wroteAll = zrleEncode8(r, mos, zos, imageBuf, maxLen, actual, ig);
+     break;
+   case 16:
+-    wroteAll = zrleEncode16(r, mos, &zos, imageBuf, maxLen, actual, ig);
++    wroteAll = zrleEncode16(r, mos, zos, imageBuf, maxLen, actual, ig);
+     break;
+   case 32:
+     {
+@@ -94,16 +97,16 @@ bool ZRLEEncoder::writeRect(const Rect&
+       if ((fitsInLS3Bytes && pf.isLittleEndian()) ||
+           (fitsInMS3Bytes && pf.isBigEndian()))
+       {
+-        wroteAll = zrleEncode24A(r, mos, &zos, imageBuf, maxLen, actual, ig);
++        wroteAll = zrleEncode24A(r, mos, zos, imageBuf, maxLen, actual, ig);
+       }
+       else if ((fitsInLS3Bytes && pf.isBigEndian()) ||
+                (fitsInMS3Bytes && pf.isLittleEndian()))
+       {
+-        wroteAll = zrleEncode24B(r, mos, &zos, imageBuf, maxLen, actual, ig);
++        wroteAll = zrleEncode24B(r, mos, zos, imageBuf, maxLen, actual, ig);
+       }
+       else
+       {
+-        wroteAll = zrleEncode32(r, mos, &zos, imageBuf, maxLen, actual, ig);
++        wroteAll = zrleEncode32(r, mos, zos, imageBuf, maxLen, actual, ig);
+       }
+       break;
+     }
+diff -up tigervnc-1.3.0/common/rfb/ZRLEEncoder.h.zrle-crash tigervnc-1.3.0/common/rfb/ZRLEEncoder.h
+--- tigervnc-1.3.0/common/rfb/ZRLEEncoder.h.zrle-crash	2013-07-01 13:42:01.000000000 +0100
++++ tigervnc-1.3.0/common/rfb/ZRLEEncoder.h	2013-12-12 17:30:48.510007365 +0000
+@@ -45,7 +45,7 @@ namespace rfb {
+   private:
+     ZRLEEncoder(SMsgWriter* writer);
+     SMsgWriter* writer;
+-    rdr::ZlibOutStream zos;
++    rdr::ZlibOutStream* zos;
+     rdr::MemOutStream* mos;
+     static rdr::MemOutStream* sharedMos;
+     static int maxLen;
diff --git a/tigervnc.spec b/tigervnc.spec
index 4e2d3e4..f5e7105 100644
--- a/tigervnc.spec
+++ b/tigervnc.spec
@@ -1,6 +1,6 @@
 Name:		tigervnc
 Version:	1.3.0
-Release:	9%{?dist}
+Release:	10%{?dist}
 Summary:	A TigerVNC remote display system
 
 Group:		User Interface/Desktops
@@ -48,6 +48,7 @@ Patch8:		tigervnc-getmaster.patch
 Patch9:		tigervnc-shebang.patch
 Patch10:	tigervnc-1.3.0-xserver-1.15.patch
 Patch11:	tigervnc-format-security.patch
+Patch12:	tigervnc-zrle-crash.patch
 
 %description
 Virtual Network Computing (VNC) is a remote display system which
@@ -175,6 +176,9 @@ popd
 # Fixed build failure with -Werror=format-security (bug #1037358).
 %patch11 -p1 -b .format-security
 
+# Avoid invalid read when ZRLE connection closed (upstream bug #133).
+%patch12 -p1 -b .zrle-crash
+
 %build
 %ifarch sparcv9 sparc64 s390 s390x
 export CFLAGS="$RPM_OPT_FLAGS -fPIC"
@@ -347,6 +351,9 @@ fi
 %{_datadir}/icons/hicolor/*/apps/*
 
 %changelog
+* Thu Dec 12 2013 Tim Waugh <twaugh at redhat.com> 1.3.0-10
+- Avoid invalid read when ZRLE connection closed (upstream bug #133).
+
 * Tue Dec  3 2013 Tim Waugh <twaugh at redhat.com> 1.3.0-9
 - Fixed build failure with -Werror=format-security (bug #1037358).
 
