$OpenBSD: patch-server_libvncserver_rfbserver_c,v 1.4 2020/04/02 14:34:50 robert Exp $

https://gitweb.gentoo.org/repo/gentoo.git/tree/net-misc/vino/files/CVE-2014-6053.patch
https://gitweb.gentoo.org/repo/gentoo.git/tree/net-misc/vino/files/CVE-2018-7225.patch
https://gitweb.gentoo.org/repo/gentoo.git/tree/net-misc/vino/files/CVE-2019-15681.patch

Index: server/libvncserver/rfbserver.c
--- server/libvncserver/rfbserver.c.orig
+++ server/libvncserver/rfbserver.c
@@ -59,6 +59,9 @@
 #define DEBUGPROTO(x)
 #endif
 
+/* PRIu32 */
+#include <inttypes.h>
+
 rfbClientPtr pointerClient = NULL;  /* Mutex for pointer events */
 
 static void rfbProcessClientProtocolVersion(rfbClientPtr cl);
@@ -850,8 +853,29 @@ rfbProcessClientNormalMessage(rfbClientPtr cl)
 
 	msg.cct.length = Swap32IfLE(msg.cct.length);
 
-	str = (char *)malloc(msg.cct.length);
+	/* uint32_t input is passed to malloc()'s size_t argument,
+	 * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int
+	 * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s int
+	 * argument. Here we impose a limit of 1 MB so that the value fits
+	 * into all of the types to prevent from misinterpretation and thus
+	 * from accessing uninitialized memory (CVE-2018-7225) and also to
+	 * prevent from a denial-of-service by allocating to much memory in
+	 * the server. */
+	if (msg.cct.length > 1<<20) {
+	    rfbLog("rfbClientCutText: too big cut text length requested: %" PRIu32 "\n",
+	     msg.cct.length);
+	    rfbCloseClient(cl);
+	    return;
+	}
 
+	/* Allow zero-length client cut text. */
+	str = (char *)calloc(msg.cct.length ? msg.cct.length : 1, 1);
+	if (str == NULL) {
+  	    rfbLogPerror("rfbProcessClientNormalMessage: not enough memory");
+ 	    rfbCloseClient(cl);
+	    return;
+	}
+
 	if ((n = ReadExact(cl, str, msg.cct.length)) <= 0) {
 	    if (n != 0)
 	        rfbLogPerror("rfbProcessClientNormalMessage: read");
@@ -1533,6 +1557,8 @@ rfbSendServerCutText(rfbScreenInfoPtr rfbScreen,char *
     rfbClientPtr cl;
     rfbServerCutTextMsg sct;
     rfbClientIteratorPtr iterator;
+
+    memset((char *)&sct, 0, sizeof(sct));
 
     iterator = rfbGetClientIterator(rfbScreen);
     while ((cl = rfbClientIteratorNext(iterator)) != NULL) {
