Description: Check for MallocFrameBuffer() return value (CVE-2014-6052) If MallocFrameBuffer() returns FALSE, frame buffer pointer is left to NULL. Subsequent writes into that buffer could lead to memory corruption, or even arbitrary code execution. Origin: https://github.com/newsoft/libvncserver/commit/85a778c0e45e87e35ee7199f1f25020648e8b812 --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ Index: libvncserver-0.9.9+dfsg/libvncclient/rfbproto.c =================================================================== --- libvncserver-0.9.9+dfsg.orig/libvncclient/rfbproto.c +++ libvncserver-0.9.9+dfsg/libvncclient/rfbproto.c @@ -1807,7 +1807,8 @@ HandleRFBServerMessage(rfbClient* client client->updateRect.x = client->updateRect.y = 0; client->updateRect.w = client->width; client->updateRect.h = client->height; - client->MallocFrameBuffer(client); + if (!client->MallocFrameBuffer(client)) + return FALSE; SendFramebufferUpdateRequest(client, 0, 0, rect.r.w, rect.r.h, FALSE); rfbClientLog("Got new framebuffer size: %dx%d\n", rect.r.w, rect.r.h); continue; @@ -2260,7 +2261,8 @@ HandleRFBServerMessage(rfbClient* client client->updateRect.x = client->updateRect.y = 0; client->updateRect.w = client->width; client->updateRect.h = client->height; - client->MallocFrameBuffer(client); + if (!client->MallocFrameBuffer(client)) + return FALSE; SendFramebufferUpdateRequest(client, 0, 0, client->width, client->height, FALSE); rfbClientLog("Got new framebuffer size: %dx%d\n", client->width, client->height); break; @@ -2276,7 +2278,9 @@ HandleRFBServerMessage(rfbClient* client client->updateRect.x = client->updateRect.y = 0; client->updateRect.w = client->width; client->updateRect.h = client->height; - client->MallocFrameBuffer(client); + if (!client->MallocFrameBuffer(client)) + return FALSE; + SendFramebufferUpdateRequest(client, 0, 0, client->width, client->height, FALSE); rfbClientLog("Got new framebuffer size: %dx%d\n", client->width, client->height); break; Index: libvncserver-0.9.9+dfsg/libvncclient/vncviewer.c =================================================================== --- libvncserver-0.9.9+dfsg.orig/libvncclient/vncviewer.c +++ libvncserver-0.9.9+dfsg/libvncclient/vncviewer.c @@ -243,7 +243,8 @@ static rfbBool rfbInitConnection(rfbClie client->width=client->si.framebufferWidth; client->height=client->si.framebufferHeight; - client->MallocFrameBuffer(client); + if (!client->MallocFrameBuffer(client)) + return FALSE; if (!SetFormatAndEncodings(client)) return FALSE;