Hello community, here is the log from the commit of package x11vnc for openSUSE:Factory checked in at 2016-07-12 23:51:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/x11vnc (Old) and /work/SRC/openSUSE:Factory/.x11vnc.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "x11vnc" Changes: -------- --- /work/SRC/openSUSE:Factory/x11vnc/x11vnc.changes 2016-02-17 12:26:16.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.x11vnc.new/x11vnc.changes 2016-07-12 23:51:59.000000000 +0200 @@ -1,0 +2,7 @@ +Mon Jul 4 14:17:12 UTC 2016 - msrb@suse.com + +- x11vnc-fix-buffer-overflow-in-snapshot_stack_list.patch, + x11vnc-fix-buffer-overflow-in-record_CW.patch + * Fix two buffer overflows. (bnc#987182) + +------------------------------------------------------------------- New: ---- x11vnc-fix-buffer-overflow-in-record_CW.patch x11vnc-fix-buffer-overflow-in-snapshot_stack_list.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ x11vnc.spec ++++++ --- /var/tmp/diff_new_pack.EnULYA/_old 2016-07-12 23:52:00.000000000 +0200 +++ /var/tmp/diff_new_pack.EnULYA/_new 2016-07-12 23:52:00.000000000 +0200 @@ -36,6 +36,8 @@ Patch6: x11vnc-examples.diff Patch7: x11vnc.desktop.generics Patch8: x11vnc-automake-1.13.patch +Patch9: x11vnc-fix-buffer-overflow-in-snapshot_stack_list.patch +Patch10: x11vnc-fix-buffer-overflow-in-record_CW.patch Url: http://www.karlrunge.com/x11vnc BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: autoconf @@ -103,6 +105,8 @@ %patch6 %patch7 %patch8 -p1 +%patch9 -p1 +%patch10 -p1 mv x11vnc/misc x11vnc/examples %build ++++++ x11vnc-fix-buffer-overflow-in-record_CW.patch ++++++
From 06bbe167108faa7b13f61b75191d39fc200bcfa7 Mon Sep 17 00:00:00 2001 From: Michal Srb
Date: Wed, 6 Jul 2016 14:40:19 +0300 Subject: [PATCH] Fix buffer overflow in record_CW.
The loop is supposed to read up to four 4-byte values that follow the request, but instead it was reading the whole length of the request (header + payload) from the data following the request. diff --git a/src/xrecord.c b/src/xrecord.c index a657ce8..4bc119c 100644 --- a/x11vnc/xrecord.c +++ b/x11vnc/xrecord.c @@ -961,7 +961,7 @@ if (db > 1) fprintf(stderr, "record_CW-%d\n", k++); data = (char *)req; data += sz_xConfigureWindowReq; - for (i=0; i<req->length; i++) { + for (i = 0; i < req->length - sz_xConfigureWindowReq / 4 && i < 4; i++) { unsigned int v; /* * We use unsigned int for the values. There were ++++++ x11vnc-fix-buffer-overflow-in-snapshot_stack_list.patch ++++++
From c79be20b5a150ae4888a5e4a21145646360b1cdd Mon Sep 17 00:00:00 2001 From: Michal Srb
Date: Mon, 4 Jul 2016 16:45:01 +0300 Subject: [PATCH] Fix buffer overflow in snapshot_stack_list.
diff --git a/src/win_utils.c b/src/win_utils.c index 45f70d4..2b9803f 100644 --- a/x11vnc/win_utils.c +++ b/x11vnc/win_utils.c @@ -248,8 +248,8 @@ void snapshot_stack_list(int free_only, double allowed_age) { } last_snap = now; - if (num > stack_list_len + blackouts) { - int n = 2*num; + if (num + blackouts > stack_list_len) { + int n = 2 * (num + blackouts); free(stack_list); stack_list = (winattr_t *) malloc(n*sizeof(winattr_t)); stack_list_len = n;