diff options
| author | Ankur Tyagi <ankur.tyagi85@gmail.com> | 2026-04-09 23:22:01 +1200 |
|---|---|---|
| committer | Anuj Mittal <anuj.mittal@oss.qualcomm.com> | 2026-04-13 12:40:21 +0530 |
| commit | c56964fcf28c21e5b85d02212e41c6a396776212 (patch) | |
| tree | d71cedf94b23b16f6e65291f85ff757f6dd1b59f /meta-oe | |
| parent | 964432f3af767094c2c1a65d0f7170385581e586 (diff) | |
| download | meta-openembedded-c56964fcf28c21e5b85d02212e41c6a396776212.tar.gz | |
libvncserver: fix CVE-2026-32853
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32853
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Diffstat (limited to 'meta-oe')
| -rw-r--r-- | meta-oe/recipes-graphics/libvncserver/libvncserver/CVE-2026-32853.patch | 76 | ||||
| -rw-r--r-- | meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb | 4 |
2 files changed, 79 insertions, 1 deletions
diff --git a/meta-oe/recipes-graphics/libvncserver/libvncserver/CVE-2026-32853.patch b/meta-oe/recipes-graphics/libvncserver/libvncserver/CVE-2026-32853.patch new file mode 100644 index 0000000000..be426932db --- /dev/null +++ b/meta-oe/recipes-graphics/libvncserver/libvncserver/CVE-2026-32853.patch | |||
| @@ -0,0 +1,76 @@ | |||
| 1 | From 24cac3821d1665a4ed0501e6056925ef9ee53b99 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Kazuma Matsumoto <269371721+y637F9QQ2x@users.noreply.github.com> | ||
| 3 | Date: Sun, 22 Mar 2026 20:35:49 +0100 | ||
| 4 | Subject: [PATCH] libvncclient: add bounds checks to UltraZip subrectangle | ||
| 5 | parsing | ||
| 6 | |||
| 7 | HandleUltraZipBPP() iterates over sub-rectangles using numCacheRects | ||
| 8 | (derived from the attacker-controlled rect.r.x) without validating | ||
| 9 | that the pointer stays within the decompressed data buffer. A malicious | ||
| 10 | server can set a large numCacheRects value, causing heap out-of-bounds | ||
| 11 | reads via the memcpy calls in the parsing loop. | ||
| 12 | |||
| 13 | Add bounds checks before reading the 12-byte subrect header and before | ||
| 14 | advancing the pointer by the raw pixel data size. Use uint64_t for the | ||
| 15 | raw data size calculation to prevent integer overflow on 32-bit platforms. | ||
| 16 | |||
| 17 | (cherry picked from commit 009008e2f4d5a54dd71f422070df3af7b3dbc931) | ||
| 18 | |||
| 19 | CVE: CVE-2026-32853 | ||
| 20 | Upstream-Status: Backport [https://github.com/LibVNC/libvncserver/commit/009008e2f4d5a54dd71f422070df3af7b3dbc931] | ||
| 21 | Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> | ||
| 22 | --- | ||
| 23 | libvncclient/ultra.c | 16 +++++++++++++++- | ||
| 24 | 1 file changed, 15 insertions(+), 1 deletion(-) | ||
| 25 | |||
| 26 | diff --git a/libvncclient/ultra.c b/libvncclient/ultra.c | ||
| 27 | index 1d3aaba6..5633b8cb 100644 | ||
| 28 | --- a/libvncclient/ultra.c | ||
| 29 | +++ b/libvncclient/ultra.c | ||
| 30 | @@ -126,6 +126,7 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh) | ||
| 31 | int toRead=0; | ||
| 32 | int inflateResult=0; | ||
| 33 | unsigned char *ptr=NULL; | ||
| 34 | + unsigned char *ptr_end=NULL; | ||
| 35 | lzo_uint uncompressedBytes = ry + (rw * 65535); | ||
| 36 | unsigned int numCacheRects = rx; | ||
| 37 | |||
| 38 | @@ -194,11 +195,18 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh) | ||
| 39 | |||
| 40 | /* Put the uncompressed contents of the update on the screen. */ | ||
| 41 | ptr = (unsigned char *)client->raw_buffer; | ||
| 42 | + ptr_end = ptr + uncompressedBytes; | ||
| 43 | for (i=0; i<numCacheRects; i++) | ||
| 44 | { | ||
| 45 | unsigned short sx, sy, sw, sh; | ||
| 46 | unsigned int se; | ||
| 47 | |||
| 48 | + /* subrect header: sx(2) + sy(2) + sw(2) + sh(2) + se(4) = 12 bytes */ | ||
| 49 | + if (ptr + 12 > ptr_end) { | ||
| 50 | + rfbClientLog("UltraZip: subrect %d header exceeds decompressed data bounds\n", i); | ||
| 51 | + return FALSE; | ||
| 52 | + } | ||
| 53 | + | ||
| 54 | memcpy((char *)&sx, ptr, 2); ptr += 2; | ||
| 55 | memcpy((char *)&sy, ptr, 2); ptr += 2; | ||
| 56 | memcpy((char *)&sw, ptr, 2); ptr += 2; | ||
| 57 | @@ -213,8 +221,13 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh) | ||
| 58 | |||
| 59 | if (se == rfbEncodingRaw) | ||
| 60 | { | ||
| 61 | + uint64_t rawBytes = (uint64_t)sw * sh * (BPP / 8); | ||
| 62 | + if (rawBytes > (size_t)(ptr_end - ptr)) { | ||
| 63 | + rfbClientLog("UltraZip: subrect %d raw data exceeds decompressed data bounds\n", i); | ||
| 64 | + return FALSE; | ||
| 65 | + } | ||
| 66 | client->GotBitmap(client, (unsigned char *)ptr, sx, sy, sw, sh); | ||
| 67 | - ptr += ((sw * sh) * (BPP / 8)); | ||
| 68 | + ptr += (size_t)rawBytes; | ||
| 69 | } | ||
| 70 | } | ||
| 71 | |||
| 72 | @@ -222,3 +235,4 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh) | ||
| 73 | } | ||
| 74 | |||
| 75 | #undef CARDBPP | ||
| 76 | + | ||
diff --git a/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb b/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb index 6f271ee0d3..11efd7cc0f 100644 --- a/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb +++ b/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb | |||
| @@ -44,7 +44,9 @@ FILES:libvncclient = "${libdir}/libvncclient.*" | |||
| 44 | 44 | ||
| 45 | inherit cmake pkgconfig | 45 | inherit cmake pkgconfig |
| 46 | 46 | ||
| 47 | SRC_URI = "git://github.com/LibVNC/libvncserver;branch=master;protocol=https" | 47 | SRC_URI = "git://github.com/LibVNC/libvncserver;branch=master;protocol=https \ |
| 48 | file://CVE-2026-32853.patch \ | ||
| 49 | " | ||
| 48 | SRCREV = "10e9eb75f73e973725dc75c373de5d89807af028" | 50 | SRCREV = "10e9eb75f73e973725dc75c373de5d89807af028" |
| 49 | 51 | ||
| 50 | S = "${WORKDIR}/git" | 52 | S = "${WORKDIR}/git" |
