mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-14 05:49:57 +00:00
Code Issues Projects Releases Wiki Activity

libvncserver: fix CVE-2026-32853

Browse Source 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32853

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
Ankur Tyagi
2026-04-09 23:22:01 +12:00
committed by Anuj Mittal
parent 964432f3af
commit c56964fcf2
2 changed files with 79 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-oe/recipes-graphics/libvncserver/libvncserver/CVE-2026-32853.patch
+76
View File
@@ -0,0 +1,76 @@
From 24cac3821d1665a4ed0501e6056925ef9ee53b99 Mon Sep 17 00:00:00 2001
From: Kazuma Matsumoto <269371721+y637F9QQ2x@users.noreply.github.com>
Date: Sun, 22 Mar 2026 20:35:49 +0100
Subject: [PATCH] libvncclient: add bounds checks to UltraZip subrectangle
parsing
HandleUltraZipBPP() iterates over sub-rectangles using numCacheRects
(derived from the attacker-controlled rect.r.x) without validating
that the pointer stays within the decompressed data buffer. A malicious
server can set a large numCacheRects value, causing heap out-of-bounds
reads via the memcpy calls in the parsing loop.
Add bounds checks before reading the 12-byte subrect header and before
advancing the pointer by the raw pixel data size. Use uint64_t for the
raw data size calculation to prevent integer overflow on 32-bit platforms.
(cherry picked from commit 009008e2f4d5a54dd71f422070df3af7b3dbc931)
CVE: CVE-2026-32853
Upstream-Status: Backport [https://github.com/LibVNC/libvncserver/commit/009008e2f4d5a54dd71f422070df3af7b3dbc931]
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
libvncclient/ultra.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/libvncclient/ultra.c b/libvncclient/ultra.c
index 1d3aaba6..5633b8cb 100644
--- a/libvncclient/ultra.c
+++ b/libvncclient/ultra.c
@@ -126,6 +126,7 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh)
int toRead=0;
int inflateResult=0;
unsigned char *ptr=NULL;
+ unsigned char *ptr_end=NULL;
lzo_uint uncompressedBytes = ry + (rw * 65535);
unsigned int numCacheRects = rx;
@@ -194,11 +195,18 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh)
/* Put the uncompressed contents of the update on the screen. */
ptr = (unsigned char *)client->raw_buffer;
+ ptr_end = ptr + uncompressedBytes;
for (i=0; i<numCacheRects; i++)
{
unsigned short sx, sy, sw, sh;
unsigned int se;
+ /* subrect header: sx(2) + sy(2) + sw(2) + sh(2) + se(4) = 12 bytes */
+ if (ptr + 12 > ptr_end) {
+ rfbClientLog("UltraZip: subrect %d header exceeds decompressed data bounds\n", i);
+ return FALSE;
+ }
+
memcpy((char *)&sx, ptr, 2); ptr += 2;
memcpy((char *)&sy, ptr, 2); ptr += 2;
memcpy((char *)&sw, ptr, 2); ptr += 2;
@@ -213,8 +221,13 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh)
if (se == rfbEncodingRaw)
{
+ uint64_t rawBytes = (uint64_t)sw * sh * (BPP / 8);
+ if (rawBytes > (size_t)(ptr_end - ptr)) {
+ rfbClientLog("UltraZip: subrect %d raw data exceeds decompressed data bounds\n", i);
+ return FALSE;
+ }
client->GotBitmap(client, (unsigned char *)ptr, sx, sy, sw, sh);
- ptr += ((sw * sh) * (BPP / 8));
+ ptr += (size_t)rawBytes;
}
}
@@ -222,3 +235,4 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh)
}
#undef CARDBPP
+
meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb
+3 -1
View File
@@ -44,7 +44,9 @@ FILES:libvncclient = "${libdir}/libvncclient.*"
inherit cmake pkgconfig
SRC_URI = "git://github.com/LibVNC/libvncserver;branch=master;protocol=https"
SRC_URI = "git://github.com/LibVNC/libvncserver;branch=master;protocol=https \
file://CVE-2026-32853.patch \
"
SRCREV = "10e9eb75f73e973725dc75c373de5d89807af028"
S = "${WORKDIR}/git"