www.cendio.com
Bug 7010 - Xvnc crashes in ProcPutImage
: Xvnc crashes in ProcPutImage
Status: CLOSED FIXED
: ThinLinc
VNC
: 1.3.1
: PC Unknown
: P2 Normal
: 4.9.0
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2017-07-12 15:08 by
Modified: 2017-07-13 10:24 (History)
Acceptance Criteria:


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From cendio 2017-07-12 15:08:34
We got a report with this crash under 4.8.0:

> (EE) 
> (EE) Backtrace:
> (EE) 0: /opt/thinlinc/libexec/Xvnc (xorg_backtrace+0x3f) [0x5d7fff]
> (EE) 1: /opt/thinlinc/libexec/Xvnc (0x400000+0x1db489) [0x5db489]
> (EE) 2: /lib/x86_64-linux-gnu/libpthread.so.0 (0x7f5a64388000+0x110c0) [0x7f5a643990c0]
> (EE) 3: /opt/thinlinc/libexec/Xvnc (ProcPutImage+0xd5) [0x5864b5]
> (EE) 4: /opt/thinlinc/libexec/Xvnc (Dispatch+0x28f) [0x5894df]
> (EE) 5: /opt/thinlinc/libexec/Xvnc (main+0x3ae) [0x49d75e]
> (EE) 6: /lib/x86_64-linux-gnu/libc.so.6 (__libc_start_main+0xf1) [0x7f5a640092b1]
> (EE) 7: /opt/thinlinc/libexec/Xvnc (0x400000+0x9f143) [0x49f143]
> (EE) 
> (EE) Floating point exception at address 0x5864b5

Apparently happens with KDE without compositing on Debian 9.
------- Comment #2 From cendio 2017-07-12 15:10:52 -------
Following the address gives this line in dispatch.c:

>     if (lengthProto >= (INT32_MAX / stuff->height))

Which seems to have been fixed upstream back in 2015:

https://cgit.freedesktop.org/xorg/xserver/commit/?id=dc777c346d5d452a53b13b917c45f6a1bad2f20b

It also got a CVE:

CVE-2015-3418
------- Comment #5 From cendio 2017-07-13 10:24:35 -------
We don't have a way to reproduce this, but the customer verified that the fix
works.