Line
Link Here
|
|
null pointer dereference in VNC client code that can result DoS. |
|
null pointer dereference in VNC client code that can result DoS. |
1 |
-- |
|
|
2 |
The ultra.c code that this has originally been reported against is not present in |
1 |
The ultra.c code that this has originally been reported against is not present in |
3 |
ssvnc. |
2 |
ssvnc. |
4 |
-- a/vnc_unixsrc/vncviewer/zlib.c |
3 |
++ b/vnc_unixsrc/vncviewer/zlib.c |
Lines 55-60
Link Here
|
55 |
raw_buffer_size = (( rw * rh ) * ( BPP / 8 )); |
55 |
raw_buffer_size = (( rw * rh ) * ( BPP / 8 )); |
56 |
raw_buffer = (char*) malloc( raw_buffer_size ); |
56 |
raw_buffer = (char*) malloc( raw_buffer_size ); |
57 |
|
57 |
|
|
|
58 |
if (raw_buffer == NULL) { |
59 |
|
60 |
return False; |
61 |
|
62 |
} |
58 |
} |
63 |
} |
59 |
|
64 |
|
60 |
if (!ReadFromRFBServer((char *)&hdr, sz_rfbZlibHeader)) |
65 |
if (!ReadFromRFBServer((char *)&hdr, sz_rfbZlibHeader)) |
61 |
-- a/vnc_unixsrc/vncviewer/zrle.c |
66 |
++ b/vnc_unixsrc/vncviewer/zrle.c |
Lines 132-137
Link Here
|
132 |
raw_buffer_size = min_buffer_size; |
132 |
raw_buffer_size = min_buffer_size; |
133 |
raw_buffer = (char*) malloc( raw_buffer_size ); |
133 |
raw_buffer = (char*) malloc( raw_buffer_size ); |
134 |
|
134 |
|
|
|
135 |
if ( raw_buffer == NULL ) { |
136 |
|
137 |
return False; |
138 |
|
139 |
} |
140 |
|
135 |
} |
141 |
} |
136 |
|
142 |
|
137 |
if (!ReadFromRFBServer((char *)&header, sz_rfbZRLEHeader)) |
143 |
if (!ReadFromRFBServer((char *)&header, sz_rfbZRLEHeader)) |