ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255)
A wrong exit condition may lead to an infinite loop when inflating a
valid zlib buffer containing some extra bytes in the `inflate_buffer`
function. The bug only occurs post-authentication. Return the buffer
immediately if the end of the compressed data has been reached
(Z_STREAM_END).
Fixes: CVE-2023-3255
Fixes: 0bf41cab
("ui/vnc: clipboard support")
Reported-by: Kevin Denis <kevin.denis@synacktiv.com>
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Tested-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-ID: <20230704084210.101822-1-mcascell@redhat.com>
This commit is contained in:
parent
9c18a9234b
commit
d921fea338
@ -50,8 +50,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size)
|
||||
ret = inflate(&stream, Z_FINISH);
|
||||
switch (ret) {
|
||||
case Z_OK:
|
||||
case Z_STREAM_END:
|
||||
break;
|
||||
case Z_STREAM_END:
|
||||
*size = stream.total_out;
|
||||
inflateEnd(&stream);
|
||||
return out;
|
||||
case Z_BUF_ERROR:
|
||||
out_len <<= 1;
|
||||
if (out_len > (1 << 20)) {
|
||||
@ -66,11 +69,6 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size)
|
||||
}
|
||||
}
|
||||
|
||||
*size = stream.total_out;
|
||||
inflateEnd(&stream);
|
||||
|
||||
return out;
|
||||
|
||||
err_end:
|
||||
inflateEnd(&stream);
|
||||
err:
|
||||
|
Loading…
Reference in New Issue
Block a user