ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255)
A wrong exit condition may lead to an infinite loop when inflating a
valid zlib buffer containing some extra bytes in the `inflate_buffer`
function. The bug only occurs post-authentication. Return the buffer
immediately if the end of the compressed data has been reached
(Z_STREAM_END).
Fixes: CVE-2023-3255
Fixes: 0bf41cab ("ui/vnc: clipboard support")
Reported-by: Kevin Denis <kevin.denis@synacktiv.com>
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Tested-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-ID: <20230704084210.101822-1-mcascell@redhat.com>
This commit is contained in:
Mauro Matteo Cascella
Marc-André Lureau
parent
9c18a9234b
commit
d921fea338
@ -50,8 +50,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size)
|
|||||||
ret = inflate(&stream, Z_FINISH);
|
ret = inflate(&stream, Z_FINISH);
|
||||||
switch (ret) {
|
switch (ret) {
|
||||||
case Z_OK:
|
case Z_OK:
|
||||||
case Z_STREAM_END:
|
|
||||||
break;
|
break;
|
||||||
|
case Z_STREAM_END:
|
||||||
|
*size = stream.total_out;
|
||||||
|
inflateEnd(&stream);
|
||||||
|
return out;
|
||||||
case Z_BUF_ERROR:
|
case Z_BUF_ERROR:
|
||||||
out_len <<= 1;
|
out_len <<= 1;
|
||||||
if (out_len > (1 << 20)) {
|
if (out_len > (1 << 20)) {
|
||||||
@ -66,11 +69,6 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
*size = stream.total_out;
|
|
||||||
inflateEnd(&stream);
|
|
||||||
|
|
||||||
return out;
|
|
||||||
|
|
||||||
err_end:
|
err_end:
|
||||||
inflateEnd(&stream);
|
inflateEnd(&stream);
|
||||||
err:
|
err:
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user