From: Christian Beier <dontmind@freeshell.org>
Date: Sat, 29 Sep 2018 22:28:57 +0200
Subject: LibVNCClient: fix three possible heap buffer overflows
Origin: https://github.com/LibVNC/libvncserver/commit/a83439b9fbe0f03c48eb94ed05729cb016f8b72f
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-20019
Bug-Debian: https://bugs.debian.org/916941
Bug: https://github.com/LibVNC/libvncserver/issues/247

An attacker could feed `0xffffffff`, causing a `malloc(0)` for the
buffers which are subsequently written to.

Closes #247
---
 libvncclient/rfbproto.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

--- a/libvncclient/rfbproto.c
+++ b/libvncclient/rfbproto.c
@@ -553,7 +553,7 @@
         /* we have an error following */
         if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return FALSE;
         reasonLen = rfbClientSwap32IfLE(reasonLen);
-        reason = malloc(reasonLen+1);
+        reason = malloc((uint64_t)reasonLen+1);
         if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return FALSE; }
         reason[reasonLen]=0;
         rfbClientLog("VNC connection failed: %s\n",reason);
@@ -581,7 +581,7 @@
     /* we have an error following */
     if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return;
     reasonLen = rfbClientSwap32IfLE(reasonLen);
-    reason = malloc(reasonLen+1);
+    reason = malloc((uint64_t)reasonLen+1);
     if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return; }
     reason[reasonLen]=0;
     rfbClientLog("VNC connection failed: %s\n",reason);
@@ -2245,10 +2245,12 @@
 
     msg.sct.length = rfbClientSwap32IfLE(msg.sct.length);
 
-    buffer = malloc(msg.sct.length+1);
+    buffer = malloc((uint64_t)msg.sct.length+1);
 
-    if (!ReadFromRFBServer(client, buffer, msg.sct.length))
+    if (!ReadFromRFBServer(client, buffer, msg.sct.length)) {
+      free(buffer);
       return FALSE;
+    }
 
     buffer[msg.sct.length] = 0;