1. 03 9月, 2015 1 次提交
  2. 28 8月, 2015 2 次提交
  3. 27 8月, 2015 4 次提交
  4. 26 8月, 2015 1 次提交
    • G
      vnc: fix memory corruption (CVE-2015-5225) · eb8934b0
      Gerd Hoffmann 提交于
      The _cmp_bytes variable added by commit "bea60dd7 ui/vnc: fix potential
      memory corruption issues" can become negative.  Result is (possibly
      exploitable) memory corruption.  Reason for that is it uses the stride
      instead of bytes per scanline to apply limits.
      
      For the server surface is is actually fine.  vnc creates that itself,
      there is never any padding and thus scanline length always equals stride.
      
      For the guest surface scanline length and stride are typically identical
      too, but it doesn't has to be that way.  So add and use a new variable
      (guest_ll) for the guest scanline length.  Also rename min_stride to
      line_bytes to make more clear what it actually is.  Finally sprinkle
      in an assert() to make sure we never use a negative _cmp_bytes again.
      Reported-by: N范祚至(库特) <zuozhi.fzz@alibaba-inc.com>
      Reviewed-by: NP J P <ppandit@redhat.com>
      Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
      eb8934b0
  5. 25 8月, 2015 32 次提交