summaryrefslogtreecommitdiffstats
path: root/meta-oe
diff options
context:
space:
mode:
authorAnkur Tyagi <ankur.tyagi85@gmail.com>2026-04-09 23:22:01 +1200
committerAnuj Mittal <anuj.mittal@oss.qualcomm.com>2026-04-13 12:40:21 +0530
commitc56964fcf28c21e5b85d02212e41c6a396776212 (patch)
treed71cedf94b23b16f6e65291f85ff757f6dd1b59f /meta-oe
parent964432f3af767094c2c1a65d0f7170385581e586 (diff)
downloadmeta-openembedded-c56964fcf28c21e5b85d02212e41c6a396776212.tar.gz
libvncserver: fix CVE-2026-32853
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32853 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Diffstat (limited to 'meta-oe')
-rw-r--r--meta-oe/recipes-graphics/libvncserver/libvncserver/CVE-2026-32853.patch76
-rw-r--r--meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb4
2 files changed, 79 insertions, 1 deletions
diff --git a/meta-oe/recipes-graphics/libvncserver/libvncserver/CVE-2026-32853.patch b/meta-oe/recipes-graphics/libvncserver/libvncserver/CVE-2026-32853.patch
new file mode 100644
index 0000000000..be426932db
--- /dev/null
+++ b/meta-oe/recipes-graphics/libvncserver/libvncserver/CVE-2026-32853.patch
@@ -0,0 +1,76 @@
1From 24cac3821d1665a4ed0501e6056925ef9ee53b99 Mon Sep 17 00:00:00 2001
2From: Kazuma Matsumoto <269371721+y637F9QQ2x@users.noreply.github.com>
3Date: Sun, 22 Mar 2026 20:35:49 +0100
4Subject: [PATCH] libvncclient: add bounds checks to UltraZip subrectangle
5 parsing
6
7HandleUltraZipBPP() iterates over sub-rectangles using numCacheRects
8(derived from the attacker-controlled rect.r.x) without validating
9that the pointer stays within the decompressed data buffer. A malicious
10server can set a large numCacheRects value, causing heap out-of-bounds
11reads via the memcpy calls in the parsing loop.
12
13Add bounds checks before reading the 12-byte subrect header and before
14advancing the pointer by the raw pixel data size. Use uint64_t for the
15raw data size calculation to prevent integer overflow on 32-bit platforms.
16
17(cherry picked from commit 009008e2f4d5a54dd71f422070df3af7b3dbc931)
18
19CVE: CVE-2026-32853
20Upstream-Status: Backport [https://github.com/LibVNC/libvncserver/commit/009008e2f4d5a54dd71f422070df3af7b3dbc931]
21Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
22---
23 libvncclient/ultra.c | 16 +++++++++++++++-
24 1 file changed, 15 insertions(+), 1 deletion(-)
25
26diff --git a/libvncclient/ultra.c b/libvncclient/ultra.c
27index 1d3aaba6..5633b8cb 100644
28--- a/libvncclient/ultra.c
29+++ b/libvncclient/ultra.c
30@@ -126,6 +126,7 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh)
31 int toRead=0;
32 int inflateResult=0;
33 unsigned char *ptr=NULL;
34+ unsigned char *ptr_end=NULL;
35 lzo_uint uncompressedBytes = ry + (rw * 65535);
36 unsigned int numCacheRects = rx;
37
38@@ -194,11 +195,18 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh)
39
40 /* Put the uncompressed contents of the update on the screen. */
41 ptr = (unsigned char *)client->raw_buffer;
42+ ptr_end = ptr + uncompressedBytes;
43 for (i=0; i<numCacheRects; i++)
44 {
45 unsigned short sx, sy, sw, sh;
46 unsigned int se;
47
48+ /* subrect header: sx(2) + sy(2) + sw(2) + sh(2) + se(4) = 12 bytes */
49+ if (ptr + 12 > ptr_end) {
50+ rfbClientLog("UltraZip: subrect %d header exceeds decompressed data bounds\n", i);
51+ return FALSE;
52+ }
53+
54 memcpy((char *)&sx, ptr, 2); ptr += 2;
55 memcpy((char *)&sy, ptr, 2); ptr += 2;
56 memcpy((char *)&sw, ptr, 2); ptr += 2;
57@@ -213,8 +221,13 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh)
58
59 if (se == rfbEncodingRaw)
60 {
61+ uint64_t rawBytes = (uint64_t)sw * sh * (BPP / 8);
62+ if (rawBytes > (size_t)(ptr_end - ptr)) {
63+ rfbClientLog("UltraZip: subrect %d raw data exceeds decompressed data bounds\n", i);
64+ return FALSE;
65+ }
66 client->GotBitmap(client, (unsigned char *)ptr, sx, sy, sw, sh);
67- ptr += ((sw * sh) * (BPP / 8));
68+ ptr += (size_t)rawBytes;
69 }
70 }
71
72@@ -222,3 +235,4 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh)
73 }
74
75 #undef CARDBPP
76+
diff --git a/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb b/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb
index 6f271ee0d3..11efd7cc0f 100644
--- a/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb
+++ b/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb
@@ -44,7 +44,9 @@ FILES:libvncclient = "${libdir}/libvncclient.*"
44 44
45inherit cmake pkgconfig 45inherit cmake pkgconfig
46 46
47SRC_URI = "git://github.com/LibVNC/libvncserver;branch=master;protocol=https" 47SRC_URI = "git://github.com/LibVNC/libvncserver;branch=master;protocol=https \
48 file://CVE-2026-32853.patch \
49"
48SRCREV = "10e9eb75f73e973725dc75c373de5d89807af028" 50SRCREV = "10e9eb75f73e973725dc75c373de5d89807af028"
49 51
50S = "${WORKDIR}/git" 52S = "${WORKDIR}/git"