|
Line
Link Here
|
|
null pointer dereference in VNC client code that can result DoS. |
|
null pointer dereference in VNC client code that can result DoS. |
| 1 |
-- |
|
|
| 2 |
The ultra.c code that this has originally been reported against is not present in |
1 |
The ultra.c code that this has originally been reported against is not present in |
| 3 |
ssvnc. |
2 |
ssvnc. |
| 4 |
-- a/vnc_unixsrc/vncviewer/zlib.c |
3 |
++ b/vnc_unixsrc/vncviewer/zlib.c |
|
Lines 55-60
Link Here
|
| 55 |
raw_buffer_size = (( rw * rh ) * ( BPP / 8 )); |
55 |
raw_buffer_size = (( rw * rh ) * ( BPP / 8 )); |
| 56 |
raw_buffer = (char*) malloc( raw_buffer_size ); |
56 |
raw_buffer = (char*) malloc( raw_buffer_size ); |
| 57 |
|
57 |
|
|
|
58 |
if (raw_buffer == NULL) { |
| 59 |
|
| 60 |
return False; |
| 61 |
|
| 62 |
} |
| 58 |
} |
63 |
} |
| 59 |
|
64 |
|
| 60 |
if (!ReadFromRFBServer((char *)&hdr, sz_rfbZlibHeader)) |
65 |
if (!ReadFromRFBServer((char *)&hdr, sz_rfbZlibHeader)) |
| 61 |
-- a/vnc_unixsrc/vncviewer/zrle.c |
66 |
++ b/vnc_unixsrc/vncviewer/zrle.c |
|
Lines 132-137
Link Here
|
| 132 |
raw_buffer_size = min_buffer_size; |
132 |
raw_buffer_size = min_buffer_size; |
| 133 |
raw_buffer = (char*) malloc( raw_buffer_size ); |
133 |
raw_buffer = (char*) malloc( raw_buffer_size ); |
| 134 |
|
134 |
|
|
|
135 |
if ( raw_buffer == NULL ) { |
| 136 |
|
| 137 |
return False; |
| 138 |
|
| 139 |
} |
| 140 |
|
| 135 |
} |
141 |
} |
| 136 |
|
142 |
|
| 137 |
if (!ReadFromRFBServer((char *)&header, sz_rfbZRLEHeader)) |
143 |
if (!ReadFromRFBServer((char *)&header, sz_rfbZRLEHeader)) |
