ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255)

A wrong exit condition may lead to an infinite loop when inflating a
valid zlib buffer containing some extra bytes in the `inflate_buffer`
function. The bug only occurs post-authentication. Return the buffer
immediately if the end of the compressed data has been reached
(Z_STREAM_END).

Fixes: CVE-2023-3255
Fixes: 0bf41cab ("ui/vnc: clipboard support")
Reported-by: Kevin Denis <kevin.denis@synacktiv.com>
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Tested-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-ID: <20230704084210.101822-1-mcascell@redhat.com>
This commit is contained in:
Mauro Matteo Cascella 2023-07-04 10:41:22 +02:00 committed by Marc-André Lureau
parent 9c18a9234b
commit d921fea338

View File

@ -50,8 +50,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size)
ret = inflate(&stream, Z_FINISH);
switch (ret) {
case Z_OK:
case Z_STREAM_END:
break;
case Z_STREAM_END:
*size = stream.total_out;
inflateEnd(&stream);
return out;
case Z_BUF_ERROR:
out_len <<= 1;
if (out_len > (1 << 20)) {
@ -66,11 +69,6 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size)
}
}
*size = stream.total_out;
inflateEnd(&stream);
return out;
err_end:
inflateEnd(&stream);
err: