Hello community,
here is the log from the commit of package LibVNCServer.13390 for
openSUSE:Leap:15.2:Update checked in at 2020-07-21 10:27:19
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Leap:15.2:Update/LibVNCServer.13390 (Old)
and /work/SRC/openSUSE:Leap:15.2:Update/.LibVNCServer.13390.new.3592 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "LibVNCServer.13390"
Tue Jul 21 10:27:19 2020 rev:1 rq:821582 version:0.9.10
Changes:
--------
New Changes file:
--- /dev/null 2020-07-16 02:54:20.700682797 +0200
+++
/work/SRC/openSUSE:Leap:15.2:Update/.LibVNCServer.13390.new.3592/LibVNCServer.changes
2020-07-21 10:27:20.638844065 +0200
@@ -0,0 +1,394 @@
+-------------------------------------------------------------------
+Thu Jul 9 13:22:00 UTC 2020 - [email protected]
+
+- security update
+- added patches
+ fix CVE-2018-21247 [bsc#1173874], uninitialized memory contents are
vulnerable to Information leak
+ + LibVNCServer-CVE-2018-21247.patch
+ fix CVE-2019-20839 [bsc#1173875], buffer overflow in
ConnectClientToUnixSock()
+ + LibVNCServer-CVE-2019-20839.patch
+ fix CVE-2019-20840 [bsc#1173876], unaligned accesses in hybiReadAndDecode
can lead to denial of service
+ + LibVNCServer-CVE-2019-20840.patch
+ fix CVE-2020-14398 [bsc#1173880], improperly closed TCP connection causes an
infinite loop in libvncclient/sockets.c
+ + LibVNCServer-CVE-2020-14398.patch
+
+-------------------------------------------------------------------
+Wed Jul 8 07:55:15 UTC 2020 - [email protected]
+
+- security update
+- added patches
+ fix CVE-2020-14397 [bsc#1173700], NULL pointer dereference in
libvncserver/rfbregion.c
+ + LibVNCServer-CVE-2020-14397.patch
+ fix CVE-2020-14399 [bsc#1173743], Byte-aligned data is accessed through
uint32_t pointers in libvncclient/rfbproto.c.
+ + LibVNCServer-CVE-2020-14399.patch
+ fix CVE-2020-14400 [bsc#1173691], Byte-aligned data is accessed through
uint16_t pointers in libvncserver/translate.c.
+ + LibVNCServer-CVE-2020-14400.patch
+ fix CVE-2020-14401 [bsc#1173694], potential integer overflows in
libvncserver/scale.c
+ + LibVNCServer-CVE-2020-14401.patch
+ fix CVE-2020-14402 [bsc#1173701], out-of-bounds access via encodings.
+ + LibVNCServer-CVE-2020-14402,14403,14404.patch
+
+-------------------------------------------------------------------
+Tue Jun 30 13:10:47 UTC 2020 - [email protected]
+
+- security update
+- added patches
+ fix CVE-2017-18922 [bsc#1173477], preauth buffer overwrite
+ + LibVNCServer-CVE-2017-18922.patch
+
+-------------------------------------------------------------------
+Mon Apr 27 09:22:31 UTC 2020 - [email protected]
+
+- security update
+- added patches
+ fix CVE-2019-15690 [bsc#1160471], heap buffer overflow
+ + LibVNCServer-CVE-2019-15690.patch
+ fix CVE-2019-20788 [bsc#1170441], integer overflow and heap-based buffer
overflow via a large height or width value
+ + LibVNCServer-CVE-2019-20788.patch
+
+-------------------------------------------------------------------
+Mon Nov 4 12:50:59 UTC 2019 - [email protected]
+
+- security update
+- added patches
+ CVE-2019-15681 [bsc#1155419]
+ + LibVNCServer-CVE-2019-15681.patch
+- note the correct way how to run the testsuite, it does not
+ seem to be usable as it is, though (segfaults)
+
+-------------------------------------------------------------------
+Wed Feb 20 15:56:14 UTC 2019 - Felix Zhang <[email protected]>
+
+- Add BuildRequire libgnutls-devel: Remmina needs it for VNC
+ connections (boo#1123805)
+
+-------------------------------------------------------------------
+Tue Feb 5 13:54:49 UTC 2019 - Petr Gajdos <[email protected]>
+
+- security update
+ * CVE-2018-20749 [bsc#1123828]
+ + LibVNCServer-CVE-2018-20749.patch
+ * CVE-2018-20750 [bsc#1123832]
+ + LibVNCServer-CVE-2018-20750.patch
+ * CVE-2018-20748 [bsc#1123823]
+ + LibVNCServer-CVE-2018-20748.patch
+
+-------------------------------------------------------------------
+Thu Jan 3 11:13:42 UTC 2019 - Petr Gajdos <[email protected]>
+
+- security update
+ * CVE-2018-15126 [bsc#1120114]
+ + LibVNCServer-CVE-2018-15126.patch
+ * CVE-2018-6307 [bsc#1120115]
+ + LibVNCServer-CVE-2018-6307.patch
+ * CVE-2018-20020 [bsc#1120116]
+ + LibVNCServer-CVE-2018-20020.patch
+ * CVE-2018-15127 [bsc#1120117]
+ + LibVNCServer-CVE-2018-15127.patch
+ * CVE-2018-20019 [bsc#1120118]
+ + LibVNCServer-CVE-2018-20019.patch
+ * CVE-2018-20023 [bsc#1120119]
+ + LibVNCServer-CVE-2018-20023.patch
+ * CVE-2018-20022 [bsc#1120120]
+ + LibVNCServer-CVE-2018-20022.patch
+ * CVE-2018-20024 [bsc#1120121]
+ + LibVNCServer-CVE-2018-20024.patch
+ * CVE-2018-20021 [bsc#1120122]
+ + LibVNCServer-CVE-2018-20021.patch
+
+-------------------------------------------------------------------
+Tue Mar 20 07:42:09 UTC 2018 - [email protected]
+
+- security update
+ * CVE-2018-7225 [bsc#1081493]
+ + LibVNCServer-CVE-2018-7225.patch
+
+-------------------------------------------------------------------
+Tue May 24 17:25:53 UTC 2016 - [email protected]
+
+- Fix build errors of applications using stl_algobase.h and
+ libvncserver's rfbproto.h, e.g. krfb (issue #102)
+ * Add libvncserver-0.9.10-use-namespaced-rfbMax-macro.patch
+
+-------------------------------------------------------------------
+Sun Feb 8 04:24:43 UTC 2015 - [email protected]
+
+- Remove xorg-x11-devel from buildRequires, X libraries
+ are not directly used/linked
+
+-------------------------------------------------------------------
+Sun Feb 8 03:54:55 UTC 2015 - [email protected]
+
+- libvncserver-0.9.10-ossl.patch: Update, do not
+ RAND_load_file("/dev/urandom", 1024) if the the PRNG is already
+ seeded. (It always is on linux)
+
+-------------------------------------------------------------------
+Sat Dec 13 13:50:35 UTC 2014 - [email protected]
+
+- Update to version 0.9.10
+ + Moved the whole project from sourceforge to https://libvnc.github.io/.
+ + Cleaned out the autotools build system which now uses autoreconf.
+ + Updated noVNC HTML5 client to latest version.
+ + Split out x11vnc sources into separate repository at
+ https://github.com/LibVNC/x11vnc
+ + Split out vncterm sources into separate repository at
+ https://github.com/LibVNC/vncterm
+ + Split out VisualNaCro sources into separate repository at
+ https://github.com/LibVNC/VisualNaCro
+ + Merged Debian patches.
+ + Fixed some security-related buffer overflow cases.
+ + Added compatibility headers to make LibVNCServer/LibVNCClient
+ build on native Windows 8.
+ + Update LZO to version 2.07, fixing CVE-2014-4607.
+ + Merged patches from KDE/krfb.
+ + Can now do IPv6 without IPv4.
+ + Fixed a use-after-free issue in scale.c.
+- Update Url and download source to new project home
+- Remove LibVNCServer-0.9.9-no_x11vnc.patch; upstream splited it
+ out of main tarball
+- Rebase libvncserver-ossl.patch to upstream changes
+ > libvncserver-0.9.10-ossl.patch
+- Remove linuxvnc subpackage; like x11vnc, it has been splited out
+ but is depreciated and unmaintained.
+
+-------------------------------------------------------------------
+Fri Oct 3 19:51:18 UTC 2014 - [email protected]
+
+- Obsolete old LibVNCServer.rpm in libvncclient0 package. The old
+ version included binaries, devel and runtime libs. But nothing
+ removes the old package, which leads to file conflicts during
+ upgrade if linuxvnc.rpm is not on the install media (bnc#893343)
+
+-------------------------------------------------------------------
+Tue Jul 1 13:35:34 UTC 2014 - [email protected]
+
+- remove old .bz2 file
+
+-------------------------------------------------------------------
+Mon Mar 18 09:36:38 UTC 2013 - [email protected]
+
+- Add Url to Source section in spec file
+
+-------------------------------------------------------------------
+Sat Jan 12 14:01:28 UTC 2013 - [email protected]
+
+- Follow shared library packaging guidelines
+- Avoid self-obsolete tag
+- Put libvncserver-config into -devel where it should belong
+- Provide pkgconfig() RPM symbols
+
+-------------------------------------------------------------------
+Tue Jan 1 19:35:08 UTC 2013 - [email protected]
+
+- Switch SSL backend to openssl, we all agree that OpenSSL
+ has it faults, but it is heavily optimized in all platforms
+ not only x86 and performance matters in interactive,latency
+ sensitive tasks like VNC.
+
+- libvncserver-ossl.patch Ensures openssl use less memory
+ and avoid abi breaks on openSSL updates.
+
+-------------------------------------------------------------------
+Sun Dec 30 22:02:37 UTC 2012 - [email protected]
+
+- libvncserver-byteswap.patch : USe OS byteswapping macros
+ which are optimized for the target arch.
+
++++ 197 more lines (skipped)
++++ between /dev/null
++++ and
/work/SRC/openSUSE:Leap:15.2:Update/.LibVNCServer.13390.new.3592/LibVNCServer.changes
New:
----
LibVNCServer-CVE-2017-18922.patch
LibVNCServer-CVE-2018-15126.patch
LibVNCServer-CVE-2018-15127.patch
LibVNCServer-CVE-2018-20019.patch
LibVNCServer-CVE-2018-20020.patch
LibVNCServer-CVE-2018-20021.patch
LibVNCServer-CVE-2018-20022.patch
LibVNCServer-CVE-2018-20023.patch
LibVNCServer-CVE-2018-20024.patch
LibVNCServer-CVE-2018-20748.patch
LibVNCServer-CVE-2018-20749.patch
LibVNCServer-CVE-2018-20750.patch
LibVNCServer-CVE-2018-21247.patch
LibVNCServer-CVE-2018-6307.patch
LibVNCServer-CVE-2018-7225.patch
LibVNCServer-CVE-2019-15681.patch
LibVNCServer-CVE-2019-15690.patch
LibVNCServer-CVE-2019-20788.patch
LibVNCServer-CVE-2019-20839.patch
LibVNCServer-CVE-2019-20840.patch
LibVNCServer-CVE-2020-14397.patch
LibVNCServer-CVE-2020-14398.patch
LibVNCServer-CVE-2020-14399.patch
LibVNCServer-CVE-2020-14400.patch
LibVNCServer-CVE-2020-14401.patch
LibVNCServer-CVE-2020-14402,14403,14404.patch
LibVNCServer.changes
LibVNCServer.spec
baselibs.conf
libvncserver-0.9.1-multilib.patch
libvncserver-0.9.10-ossl.patch
libvncserver-0.9.10-use-namespaced-rfbMax-macro.patch
libvncserver-LibVNCServer-0.9.10.tar.gz
libvncserver-byteswap.patch
redef-keysym.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ LibVNCServer.spec ++++++
#
# spec file for package LibVNCServer
#
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: LibVNCServer
Version: 0.9.10
Release: 0
Summary: VNC Development Library
License: GPL-2.0+
Group: Development/Libraries/X11
Url: https://github.com/LibVNC/libvncserver
# Archive is renamed by github
#Source0:
https://github.com/LibVNC/libvncserver/archive/%{name}-%{version}.tar.gz
Source0: libvncserver-%{name}-%{version}.tar.gz
Source1: baselibs.conf
#PATCH-FIX-OPENSUSE: multilib support
Patch1: libvncserver-0.9.1-multilib.patch
#PATCH-FIX-OPENSUSE: redefine keysyms only if needed
Patch7: redef-keysym.patch
#PATCH_FIX-OPENSUSE: Use system fast byteswap routines.
Patch11: libvncserver-byteswap.patch
Patch12: libvncserver-%{version}-ossl.patch
#PATCH-FIX-UPSTREAM: use namespaced rfbMax macro (avoids conflicts with
stl_algobase.h), picked from upstream
Patch13: libvncserver-0.9.10-use-namespaced-rfbMax-macro.patch
Patch14: LibVNCServer-CVE-2018-7225.patch
Patch15: LibVNCServer-CVE-2018-15126.patch
Patch16: LibVNCServer-CVE-2018-6307.patch
Patch17: LibVNCServer-CVE-2018-20020.patch
Patch18: LibVNCServer-CVE-2018-15127.patch
Patch19: LibVNCServer-CVE-2018-20019.patch
Patch20: LibVNCServer-CVE-2018-20023.patch
Patch21: LibVNCServer-CVE-2018-20022.patch
Patch22: LibVNCServer-CVE-2018-20024.patch
Patch23: LibVNCServer-CVE-2018-20021.patch
Patch24: LibVNCServer-CVE-2018-20749.patch
Patch25: LibVNCServer-CVE-2018-20750.patch
Patch26: LibVNCServer-CVE-2018-20748.patch
# CVE-2019-15681 [bsc#1155419]
Patch27: LibVNCServer-CVE-2019-15681.patch
# CVE-2019-20788 [bsc#1170441], integer overflow and heap-based buffer overflow
via a large height or width value
Patch28: LibVNCServer-CVE-2019-20788.patch
# CVE-2019-15690 [bsc#1160471], heap buffer overflow
Patch29: LibVNCServer-CVE-2019-15690.patch
# CVE-2017-18922 [bsc#1173477], preauth buffer overwrite
Patch30: LibVNCServer-CVE-2017-18922.patch
# CVE-2020-14400 [bsc#1173691], Byte-aligned data is accessed through uint16_t
pointers in libvncserver/translate.c.
Patch31: LibVNCServer-CVE-2020-14400.patch
# CVE-2020-14401 [bsc#1173694], potential integer overflows in
libvncserver/scale.c
Patch32: LibVNCServer-CVE-2020-14401.patch
# CVE-2020-14397 [bsc#1173700], NULL pointer dereference in
libvncserver/rfbregion.c
Patch33: LibVNCServer-CVE-2020-14397.patch
# CVE-2020-14402 [bsc#1173701], out-of-bounds access via encodings.
Patch34: LibVNCServer-CVE-2020-14402,14403,14404.patch
# CVE-2020-14399 [bsc#1173743], Byte-aligned data is accessed through uint32_t
pointers in libvncclient/rfbproto.c.
Patch35: LibVNCServer-CVE-2020-14399.patch
# CVE-2019-20840 [bsc#1173876], unaligned accesses in hybiReadAndDecode can
lead to denial of service
Patch36: LibVNCServer-CVE-2019-20840.patch
# CVE-2019-20839 [bsc#1173875], buffer overflow in ConnectClientToUnixSock()
Patch37: LibVNCServer-CVE-2019-20839.patch
# CVE-2018-21247 [bsc#1173874], uninitialized memory contents are vulnerable to
Information leak
Patch38: LibVNCServer-CVE-2018-21247.patch
# CVE-2020-14398 [bsc#1173880], improperly closed TCP connection causes an
infinite loop in libvncclient/sockets.c
Patch39: LibVNCServer-CVE-2020-14398.patch
BuildRequires: libavahi-devel
BuildRequires: libgcrypt-devel
BuildRequires: libgnutls-devel
BuildRequires: libjpeg-devel
BuildRequires: libpng-devel
BuildRequires: libtool
BuildRequires: lzo-devel
BuildRequires: openssl-devel
BuildRequires: pkgconfig
BuildRequires: slang-devel
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
VNC is a set of programs using the RFB (Remote Frame Buffer) protocol.
They are designed to "export" a frame buffer via the network. It is
already in wide use for administration, but it is not that easy to
program a server yourself. This has been changed by LibVNCServer.
X.org already has a virtual Xvnc server which you can start as an own
screen (e.g. :1) and connect to with a VNC client (e.g. vncviewer from
tightvnc). The x11vnc binary (that allows you to export the window of a
real running X11 server) has been split off into its own package on
2007-07-16.
%package -n libvncclient0
Summary: Library implementing a VNC client
Group: System/Libraries
Obsoletes: linuxvnc < %{version}
Conflicts: LibVNCServer < %version
%description -n libvncclient0
LibVNCServer/LibVNCClient are cross-platform C libraries that allow
implementing VNC server or client functionality in your program.
%package -n libvncserver0
Summary: Library implementing a VNC server
Group: System/Libraries
%description -n libvncserver0
LibVNCServer/LibVNCClient are cross-platform C libraries that allow
implementing VNC server or client functionality in your program.
%package devel
Requires: gnutls-devel
Requires: libvncclient0 = %version
Requires: libvncserver0 = %version
Requires: zlib-devel
Summary: VNC Development Library
Group: Development/Libraries/X11
%description devel
VNC is a set of programs using the RFB (Remote Frame Buffer) protocol.
They are designed to "export" a frame buffer via the network. It is
already in wide use for administration, but it is not that easy to
program a server yourself. This has been changed by LibVNCServer.
X.org already has a virtual Xvnc server which you can start as an own
screen (e.g. :1) and connect to with a VNC client (e.g. vncviewer from
tightvnc).
The LibVNCServer-devel package contains the static libraries and header
files for LibVNCServer.
%prep
%setup -q -n libvncserver-%{name}-%{version}
%patch1 -p1 -b .multilib
#%patch2 -p1 -b .system_minilzo
%patch7 -p1
# aclocal; autoheader; automake --add-missing --copy; autoconf
# ./configure --enable-maintainer-mode
# sh ./autogen.sh
%patch11
%patch12
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
%patch25 -p1
%patch26 -p1
%patch27 -p1
%patch28 -p1
%patch29 -p1
%patch30 -p1
%patch31 -p1
%patch32 -p1
%patch33 -p1
%patch34 -p1
%patch35 -p1
%patch36 -p1
%patch37 -p1
%patch38 -p1
%patch39 -p1
# fix encoding
for file in AUTHORS ChangeLog ; do
mv ${file} ${file}.OLD && \
iconv -f ISO_8859-1 -t UTF8 ${file}.OLD > ${file} && \
touch --reference ${file}.OLD $file
done
#nuke bundled minilzo
#rm -f common/lzodefs.h common/lzoconf.h commmon/minilzo.h common/minilzo.c
# needed by patch 2 (and to nuke rpath's)
#autoreconf
%build
CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE -D_REENTRANT" \
NOCONFIGURE=1 ./autogen.sh
# Plase note that tightvn cause a problem; need to be fix
%configure --disable-static --with-pic --enable-shared --with-gnu-ld
--without-tightvnc-filetransfer --disable-silent-rules
make %{?_smp_mflags}
%{__install} -d -m0755 RPM_BUILD_ROOT%{_datadir}/x11vnc/classes
%check
pushd test
# encodingstest segfaults during rfbShutdownServer() [no of our patch causes
the segfault]
make test || true
popd
%install
%makeinstall
%{__rm} -f %{buildroot}%{_libdir}/*.la
%{__rm} -f %{buildroot}%{_libdir}/*.a
%post -n libvncclient0 -p /sbin/ldconfig
%postun -n libvncclient0 -p /sbin/ldconfig
%post -n libvncserver0 -p /sbin/ldconfig
%postun -n libvncserver0 -p /sbin/ldconfig
%files -n libvncserver0
%defattr(-,root,root)
%doc COPYING README
%_libdir/libvncserver.so.0*
%files -n libvncclient0
%defattr(-,root,root)
%doc COPYING README
%_libdir/libvncclient.so.0*
%files devel
%defattr(-,root,root)
%doc AUTHORS COPYING ChangeLog NEWS README TODO
%{_bindir}/libvncserver-config
%{_includedir}/rfb/*
%dir /usr/include/rfb
%{_libdir}/libvncclient.so
%{_libdir}/libvncserver.so
%{_libdir}/pkgconfig/*.pc
%changelog
++++++ LibVNCServer-CVE-2017-18922.patch ++++++
++++ 761 lines (skipped)
++++++ LibVNCServer-CVE-2018-15126.patch ++++++
diff --git a/libvncserver/tightvnc-filetransfer/filetransfermsg.c
b/libvncserver/tightvnc-filetransfer/filetransfermsg.c
index 5f84e7f3..0003b11f 100644
--- a/libvncserver/tightvnc-filetransfer/filetransfermsg.c
+++ b/libvncserver/tightvnc-filetransfer/filetransfermsg.c
@@ -672,7 +672,7 @@ ChkFileUploadWriteErr(rfbClientPtr cl, rfbTightClientPtr
rtcp, char* pBuf)
char reason[] = "Error writing file data";
int reasonLen = strlen(reason);
ftm = CreateFileUploadErrMsg(reason, reasonLen);
- CloseUndoneFileTransfer(cl, rtcp);
+ CloseUndoneFileUpload(cl, rtcp);
}
return ftm;
}
@@ -735,7 +735,7 @@ CreateFileUploadErrMsg(char* reason, unsigned int reasonLen)
******************************************************************************/
void
-CloseUndoneFileTransfer(rfbClientPtr cl, rfbTightClientPtr rtcp)
+CloseUndoneFileUpload(rfbClientPtr cl, rfbTightClientPtr rtcp)
{
/* TODO :: File Upload case is not handled currently */
/* TODO :: In case of concurrency we need to use Critical Section */
@@ -759,9 +759,19 @@ CloseUndoneFileTransfer(rfbClientPtr cl, rfbTightClientPtr
rtcp)
memset(rtcp->rcft.rcfu.fName, 0 , PATH_MAX);
}
+}
+
+
+void
+CloseUndoneFileDownload(rfbClientPtr cl, rfbTightClientPtr rtcp)
+{
+ if(cl == NULL)
+ return;
if(rtcp->rcft.rcfd.downloadInProgress == TRUE) {
rtcp->rcft.rcfd.downloadInProgress = FALSE;
+ /* the thread will return if downloadInProgress is FALSE */
+ pthread_join(rtcp->rcft.rcfd.downloadThread, NULL);
if(rtcp->rcft.rcfd.downloadFD != -1) {
close(rtcp->rcft.rcfd.downloadFD);
diff --git a/libvncserver/tightvnc-filetransfer/filetransfermsg.h
b/libvncserver/tightvnc-filetransfer/filetransfermsg.h
index 3b27bd04..bbb9148d 100644
--- a/libvncserver/tightvnc-filetransfer/filetransfermsg.h
+++ b/libvncserver/tightvnc-filetransfer/filetransfermsg.h
@@ -51,7 +51,8 @@ FileTransferMsg ChkFileUploadWriteErr(rfbClientPtr cl,
rfbTightClientPtr data, c
void CreateDirectory(char* dirName);
void FileUpdateComplete(rfbClientPtr cl, rfbTightClientPtr data);
-void CloseUndoneFileTransfer(rfbClientPtr cl, rfbTightClientPtr data);
+void CloseUndoneFileUpload(rfbClientPtr cl, rfbTightClientPtr data);
+void CloseUndoneFileDownload(rfbClientPtr cl, rfbTightClientPtr data);
void FreeFileTransferMsg(FileTransferMsg ftm);
diff --git a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
index 04737831..71fb0851 100644
--- a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
+++ b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
@@ -489,12 +489,6 @@ RunFileDownloadThread(void* client)
if(rfbWriteExact(cl, fileDownloadMsg.data,
fileDownloadMsg.length) < 0) {
rfbLog("File [%s]: Method [%s]: Error while
writing to socket \n"
, __FILE__, __FUNCTION__);
-
- if(cl != NULL) {
- rfbCloseClient(cl);
- CloseUndoneFileTransfer(cl, rtcp);
- }
-
FreeFileTransferMsg(fileDownloadMsg);
return NULL;
}
@@ -508,7 +502,6 @@ RunFileDownloadThread(void* client)
void
HandleFileDownload(rfbClientPtr cl, rfbTightClientPtr rtcp)
{
- pthread_t fileDownloadThread;
FileTransferMsg fileDownloadMsg;
memset(&fileDownloadMsg, 0, sizeof(FileTransferMsg));
@@ -518,10 +511,9 @@ HandleFileDownload(rfbClientPtr cl, rfbTightClientPtr rtcp)
FreeFileTransferMsg(fileDownloadMsg);
return;
}
- rtcp->rcft.rcfd.downloadInProgress = FALSE;
- rtcp->rcft.rcfd.downloadFD = -1;
+ CloseUndoneFileDownload(cl, rtcp);
- if(pthread_create(&fileDownloadThread, NULL, RunFileDownloadThread,
(void*)
+ if(pthread_create(&rtcp->rcft.rcfd.downloadThread, NULL,
RunFileDownloadThread, (void*)
cl) != 0) {
FileTransferMsg ftm = GetFileDownLoadErrMsg();
@@ -593,7 +585,7 @@ HandleFileDownloadCancelRequest(rfbClientPtr cl,
rfbTightClientPtr rtcp)
" reason <%s>\n", __FILE__,
__FUNCTION__, reason);
pthread_mutex_lock(&fileDownloadMutex);
- CloseUndoneFileTransfer(cl, rtcp);
+ CloseUndoneFileDownload(cl, rtcp);
pthread_mutex_unlock(&fileDownloadMutex);
if(reason != NULL) {
@@ -836,7 +828,7 @@ HandleFileUploadDataRequest(rfbClientPtr cl,
rfbTightClientPtr rtcp)
FreeFileTransferMsg(ftm);
}
- CloseUndoneFileTransfer(cl, rtcp);
+ CloseUndoneFileUpload(cl, rtcp);
if(pBuf != NULL) {
free(pBuf);
@@ -936,7 +928,7 @@ HandleFileUploadFailedRequest(rfbClientPtr cl,
rfbTightClientPtr rtcp)
rfbLog("File [%s]: Method [%s]: File Upload Failed Request received:"
" reason <%s>\n", __FILE__, __FUNCTION__,
reason);
- CloseUndoneFileTransfer(cl, rtcp);
+ CloseUndoneFileUpload(cl, rtcp);
if(reason != NULL) {
free(reason);
diff --git a/libvncserver/tightvnc-filetransfer/rfbtightproto.h
b/libvncserver/tightvnc-filetransfer/rfbtightproto.h
index d0fe642e..30fc5f54 100644
--- a/libvncserver/tightvnc-filetransfer/rfbtightproto.h
+++ b/libvncserver/tightvnc-filetransfer/rfbtightproto.h
@@ -148,6 +148,7 @@ typedef struct _rfbClientFileDownload {
int downloadInProgress;
unsigned long mTime;
int downloadFD;
+ pthread_t downloadThread;
} rfbClientFileDownload ;
typedef struct _rfbClientFileUpload {
diff --git a/libvncserver/tightvnc-filetransfer/rfbtightserver.c
b/libvncserver/tightvnc-filetransfer/rfbtightserver.c
index 67d4cb54..651d8fb7 100644
--- a/libvncserver/tightvnc-filetransfer/rfbtightserver.c
+++ b/libvncserver/tightvnc-filetransfer/rfbtightserver.c
@@ -26,6 +26,7 @@
#include <rfb/rfb.h>
#include "rfbtightproto.h"
#include "handlefiletransferrequest.h"
+#include "filetransfermsg.h"
/*
* Get my data!
@@ -448,9 +449,11 @@ rfbTightExtensionMsgHandler(struct _rfbClientRec* cl,
void* data,
void
rfbTightExtensionClientClose(rfbClientPtr cl, void* data) {
- if(data != NULL)
+ if(data != NULL) {
+ CloseUndoneFileUpload(cl, data);
+ CloseUndoneFileDownload(cl, data);
free(data);
-
+ }
}
void
++++++ LibVNCServer-CVE-2018-15127.patch ++++++
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
index ed1365a5..6ca511fe 100644
--- a/libvncserver/rfbserver.c
+++ b/libvncserver/rfbserver.c
@@ -1465,7 +1465,7 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl,
uint32_t length)
rfbLog("rfbProcessFileTransferReadBuffer(%dlen)\n", length);
*/
if (length>0) {
- buffer=malloc(length+1);
+ buffer=malloc((uint64_t)length+1);
if (buffer!=NULL) {
if ((n = rfbReadExact(cl, (char *)buffer, length)) <= 0) {
if (n != 0)
++++++ LibVNCServer-CVE-2018-20019.patch ++++++
diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
index 8d6a4c1f..ac2a9835 100644
--- a/libvncclient/rfbproto.c
+++ b/libvncclient/rfbproto.c
@@ -433,7 +433,7 @@ rfbHandleAuthResult(rfbClient* client)
/* we have an error following */
if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return FALSE;
reasonLen = rfbClientSwap32IfLE(reasonLen);
- reason = malloc(reasonLen+1);
+ reason = malloc((uint64_t)reasonLen+1);
if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason);
return FALSE; }
reason[reasonLen]=0;
rfbClientLog("VNC connection failed: %s\n",reason);
@@ -461,7 +461,7 @@ ReadReason(rfbClient* client)
/* we have an error following */
if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return;
reasonLen = rfbClientSwap32IfLE(reasonLen);
- reason = malloc(reasonLen+1);
+ reason = malloc((uint64_t)reasonLen+1);
if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return;
}
reason[reasonLen]=0;
rfbClientLog("VNC connection failed: %s\n",reason);
@@ -2187,10 +2187,12 @@ HandleRFBServerMessage(rfbClient* client)
msg.sct.length = rfbClientSwap32IfLE(msg.sct.length);
- buffer = malloc(msg.sct.length+1);
+ buffer = malloc((uint64_t)msg.sct.length+1);
- if (!ReadFromRFBServer(client, buffer, msg.sct.length))
+ if (!ReadFromRFBServer(client, buffer, msg.sct.length)) {
+ free(buffer);
return FALSE;
+ }
buffer[msg.sct.length] = 0;
++++++ LibVNCServer-CVE-2018-20020.patch ++++++
Index: libvncserver-LibVNCServer-0.9.10/libvncclient/corre.c
===================================================================
--- libvncserver-LibVNCServer-0.9.10.orig/libvncclient/corre.c 2019-01-03
12:38:57.453896187 +0100
+++ libvncserver-LibVNCServer-0.9.10/libvncclient/corre.c 2019-01-03
12:41:56.546759596 +0100
@@ -48,7 +48,7 @@ HandleCoRREBPP (rfbClient* client, int r
FillRectangle(client, rx, ry, rw, rh, pix);
- if (!ReadFromRFBServer(client, client->buffer, hdr.nSubrects * (4 + (BPP /
8))))
+ if (hdr.nSubrects > RFB_BUFFER_SIZE / (4 + (BPP / 8)) ||
!ReadFromRFBServer(client, client->buffer, hdr.nSubrects * (4 + (BPP / 8))))
return FALSE;
ptr = (uint8_t *)client->buffer;
++++++ LibVNCServer-CVE-2018-20021.patch ++++++
Index: libvncserver-LibVNCServer-0.9.10/libvncclient/rfbproto.c
===================================================================
--- libvncserver-LibVNCServer-0.9.10.orig/libvncclient/rfbproto.c
2019-01-03 17:21:11.262257813 +0100
+++ libvncserver-LibVNCServer-0.9.10/libvncclient/rfbproto.c 2019-01-03
17:21:48.098436189 +0100
@@ -1944,7 +1944,7 @@ HandleRFBServerMessage(rfbClient* client
bytesPerLine = rect.r.w * client->format.bitsPerPixel / 8;
linesToRead = RFB_BUFFER_SIZE / bytesPerLine;
- while (h > 0) {
+ while (linesToRead && h > 0) {
if (linesToRead > h)
linesToRead = h;
++++++ LibVNCServer-CVE-2018-20022.patch ++++++
diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
index 669e3884..808ad4d2 100644
--- a/libvncclient/rfbproto.c
+++ b/libvncclient/rfbproto.c
@@ -1643,6 +1643,7 @@ SendKeyEvent(rfbClient* client, uint32_t key, rfbBool
down)
if (!SupportsClient2Server(client, rfbKeyEvent)) return TRUE;
+ memset(&ke, 0, sizeof(ke));
ke.type = rfbKeyEvent;
ke.down = down ? 1 : 0;
ke.key = rfbClientSwap32IfLE(key);
@@ -1661,6 +1662,7 @@ SendClientCutText(rfbClient* client, char *str, int len)
if (!SupportsClient2Server(client, rfbClientCutText)) return TRUE;
+ memset(&cct, 0, sizeof(cct));
cct.type = rfbClientCutText;
cct.length = rfbClientSwap32IfLE(len);
return (WriteToRFBServer(client, (char *)&cct, sz_rfbClientCutTextMsg) &&
++++++ LibVNCServer-CVE-2018-20023.patch ++++++
diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
index e5373bc4..669e3884 100644
--- a/libvncclient/rfbproto.c
+++ b/libvncclient/rfbproto.c
@@ -363,6 +363,7 @@ rfbBool ConnectToRFBRepeater(rfbClient* client,const char
*repeaterHost, int rep
rfbProtocolVersionMsg pv;
int major,minor;
char tmphost[250];
+ int tmphostlen;
#ifdef LIBVNCSERVER_IPv6
client->sock = ConnectClientToTcpAddr6(repeaterHost, repeaterPort);
@@ -398,8 +399,11 @@ rfbBool ConnectToRFBRepeater(rfbClient* client,const char
*repeaterHost, int rep
rfbClientLog("Connected to VNC repeater, using protocol version %d.%d\n",
major, minor);
- snprintf(tmphost, sizeof(tmphost), "%s:%d", destHost, destPort);
- if (!WriteToRFBServer(client, tmphost, sizeof(tmphost)))
+ tmphostlen = snprintf(tmphost, sizeof(tmphost), "%s:%d", destHost, destPort);
+ if(tmphostlen < 0 || tmphostlen >= (int)sizeof(tmphost))
+ return FALSE; /* snprintf error or output truncated */
+
+ if (!WriteToRFBServer(client, tmphost, tmphostlen + 1))
return FALSE;
return TRUE;
++++++ LibVNCServer-CVE-2018-20024.patch ++++++
Index: libvncserver-LibVNCServer-0.9.10/libvncclient/ultra.c
===================================================================
--- libvncserver-LibVNCServer-0.9.10.orig/libvncclient/ultra.c 2014-10-21
17:57:11.000000000 +0200
+++ libvncserver-LibVNCServer-0.9.10/libvncclient/ultra.c 2019-01-03
17:16:03.336767063 +0100
@@ -66,6 +66,8 @@ HandleUltraBPP (rfbClient* client, int r
if ((client->raw_buffer_size % 4)!=0)
client->raw_buffer_size += (4-(client->raw_buffer_size % 4));
client->raw_buffer = (char*) malloc( client->raw_buffer_size );
+ if(client->raw_buffer == NULL)
+ return FALSE;
}
/* allocate enough space to store the incoming compressed packet */
@@ -150,6 +152,8 @@ HandleUltraZipBPP (rfbClient* client, in
if ((client->raw_buffer_size % 4)!=0)
client->raw_buffer_size += (4-(client->raw_buffer_size % 4));
client->raw_buffer = (char*) malloc( client->raw_buffer_size );
+ if(client->raw_buffer == NULL)
+ return FALSE;
}
++++++ LibVNCServer-CVE-2018-20748.patch ++++++
Index: libvncserver-LibVNCServer-0.9.10/libvncclient/rfbproto.c
===================================================================
--- libvncserver-LibVNCServer-0.9.10.orig/libvncclient/rfbproto.c
2019-02-05 14:37:52.555664326 +0100
+++ libvncserver-LibVNCServer-0.9.10/libvncclient/rfbproto.c 2019-02-05
14:37:52.591664493 +0100
@@ -507,11 +507,29 @@ rfbBool ConnectToRFBRepeater(rfbClient*
extern void rfbClientEncryptBytes(unsigned char* bytes, char* passwd);
extern void rfbClientEncryptBytes2(unsigned char *where, const int length,
unsigned char *key);
+static void
+ReadReason(rfbClient* client)
+{
+ uint32_t reasonLen;
+ char *reason;
+
+ if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return;
+ reasonLen = rfbClientSwap32IfLE(reasonLen);
+ if(reasonLen > 1<<20) {
+ rfbClientLog("VNC connection failed, but sent reason length of %u
exceeds limit of 1MB",(unsigned int)reasonLen);
+ return;
+ }
+ reason = malloc(reasonLen+1);
+ if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return;
}
+ reason[reasonLen]=0;
+ rfbClientLog("VNC connection failed: %s\n",reason);
+ free(reason);
+}
+
rfbBool
rfbHandleAuthResult(rfbClient* client)
{
- uint32_t authResult=0, reasonLen=0;
- char *reason=NULL;
+ uint32_t authResult=0;
if (!ReadFromRFBServer(client, (char *)&authResult, 4)) return FALSE;
@@ -526,13 +544,7 @@ rfbHandleAuthResult(rfbClient* client)
if (client->major==3 && client->minor>7)
{
/* we have an error following */
- if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return FALSE;
- reasonLen = rfbClientSwap32IfLE(reasonLen);
- reason = malloc((uint64_t)reasonLen+1);
- if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason);
return FALSE; }
- reason[reasonLen]=0;
- rfbClientLog("VNC connection failed: %s\n",reason);
- free(reason);
+ ReadReason(client);
return FALSE;
}
rfbClientLog("VNC authentication failed\n");
@@ -547,21 +559,6 @@ rfbHandleAuthResult(rfbClient* client)
return FALSE;
}
-static void
-ReadReason(rfbClient* client)
-{
- uint32_t reasonLen;
- char *reason;
-
- /* we have an error following */
- if (!ReadFromRFBServer(client, (char *)&reasonLen, 4)) return;
- reasonLen = rfbClientSwap32IfLE(reasonLen);
- reason = malloc((uint64_t)reasonLen+1);
- if (!ReadFromRFBServer(client, reason, reasonLen)) { free(reason); return;
}
- reason[reasonLen]=0;
- rfbClientLog("VNC connection failed: %s\n",reason);
- free(reason);
-}
static rfbBool
ReadSupportedSecurityType(rfbClient* client, uint32_t *result, rfbBool subAuth)
@@ -1257,8 +1254,12 @@ InitialiseRFBConnection(rfbClient* clien
client->si.format.blueMax = rfbClientSwap16IfLE(client->si.format.blueMax);
client->si.nameLength = rfbClientSwap32IfLE(client->si.nameLength);
- /* To guard against integer wrap-around, si.nameLength is cast to 64 bit */
- client->desktopName = malloc((uint64_t)client->si.nameLength + 1);
+ if (client->si.nameLength > 1<<20) {
+ rfbClientErr("Too big desktop name length sent by server: %u B > 1
MB\n", (unsigned int)client->si.nameLength);
+ return FALSE;
+ }
+
+ client->desktopName = malloc(client->si.nameLength + 1);
if (!client->desktopName) {
rfbClientLog("Error allocating memory for desktop name, %lu bytes\n",
(unsigned long)client->si.nameLength);
@@ -2223,7 +2224,12 @@ HandleRFBServerMessage(rfbClient* client
msg.sct.length = rfbClientSwap32IfLE(msg.sct.length);
- buffer = malloc((uint64_t)msg.sct.length+1);
+ if (msg.sct.length > 1<<20) {
+ rfbClientErr("Ignoring too big cut text length sent by server: %u B
> 1 MB\n", (unsigned int)msg.sct.length);
+ return FALSE;
+ }
+
+ buffer = malloc(msg.sct.length+1);
if (!ReadFromRFBServer(client, buffer, msg.sct.length)) {
free(buffer);
++++++ LibVNCServer-CVE-2018-20749.patch ++++++
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
index 6ca511fe..e210a32f 100644
--- a/libvncserver/rfbserver.c
+++ b/libvncserver/rfbserver.c
@@ -1461,11 +1461,21 @@ char *rfbProcessFileTransferReadBuffer(rfbClientPtr cl,
uint32_t length)
int n=0;
FILEXFER_ALLOWED_OR_CLOSE_AND_RETURN("", cl, NULL);
+
/*
- rfbLog("rfbProcessFileTransferReadBuffer(%dlen)\n", length);
+ We later alloc length+1, which might wrap around on 32-bit systems if
length equals
+ 0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a
length of 0XFFFFFFFF
+ will safely be allocated since this check will never trigger and
malloc() can digest length+1
+ without problems as length is a uint32_t.
*/
+ if(length == SIZE_MAX) {
+ rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length
requested: %u", (unsigned int)length);
+ rfbCloseClient(cl);
+ return NULL;
+ }
+
if (length>0) {
- buffer=malloc((uint64_t)length+1);
+ buffer=malloc((size_t)length+1);
if (buffer!=NULL) {
if ((n = rfbReadExact(cl, (char *)buffer, length)) <= 0) {
if (n != 0)
++++++ LibVNCServer-CVE-2018-20750.patch ++++++
Index: libvncserver-LibVNCServer-0.9.10/libvncserver/rfbserver.c
===================================================================
--- libvncserver-LibVNCServer-0.9.10.orig/libvncserver/rfbserver.c
2019-02-05 14:11:27.552345876 +0100
+++ libvncserver-LibVNCServer-0.9.10/libvncserver/rfbserver.c 2019-02-05
14:19:41.526622829 +0100
@@ -87,6 +87,9 @@
#include <time.h>
/* PRIu32 */
#include <inttypes.h>
+/* INT_MAX */
+#include <limits.h>
+
#ifdef LIBVNCSERVER_WITH_WEBSOCKETS
#include "rfbssl.h"
@@ -1465,8 +1468,11 @@ char *rfbProcessFileTransferReadBuffer(r
0XFFFFFFFF, i.e. SIZE_MAX for 32-bit systems. On 64-bit systems, a
length of 0XFFFFFFFF
will safely be allocated since this check will never trigger and
malloc() can digest length+1
without problems as length is a uint32_t.
+ We also later pass length to rfbReadExact() that expects a signed int
type and
+ that might wrap on platforms with a 32-bit int type if length is bigger
+ than 0X7FFFFFFF.
*/
- if(length == SIZE_MAX) {
+ if(length == SIZE_MAX || length > INT_MAX) {
rfbErr("rfbProcessFileTransferReadBuffer: too big file transfer length
requested: %u", (unsigned int)length);
rfbCloseClient(cl);
return NULL;
++++++ LibVNCServer-CVE-2018-21247.patch ++++++
Index: libvncserver-LibVNCServer-0.9.10/libvncclient/rfbproto.c
===================================================================
--- libvncserver-LibVNCServer-0.9.10.orig/libvncclient/rfbproto.c
2020-07-09 10:47:17.217107752 +0200
+++ libvncserver-LibVNCServer-0.9.10/libvncclient/rfbproto.c 2020-07-09
10:47:27.233166955 +0200
@@ -495,6 +495,7 @@ rfbBool ConnectToRFBRepeater(rfbClient*
rfbClientLog("Connected to VNC repeater, using protocol version %d.%d\n",
major, minor);
+ memset(tmphost, 0, sizeof(tmphost));
tmphostlen = snprintf(tmphost, sizeof(tmphost), "%s:%d", destHost, destPort);
if(tmphostlen < 0 || tmphostlen >= (int)sizeof(tmphost))
return FALSE; /* snprintf error or output truncated */
++++++ LibVNCServer-CVE-2018-6307.patch ++++++
diff --git a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
index c511eed1..04737831 100644
--- a/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
+++ b/libvncserver/tightvnc-filetransfer/handlefiletransferrequest.c
@@ -585,6 +585,8 @@ HandleFileDownloadCancelRequest(rfbClientPtr cl,
rfbTightClientPtr rtcp)
"FileDownloadCancelMsg\n", __FILE__,
__FUNCTION__);
rfbCloseClient(cl);
+ free(reason);
+ return;
}
rfbLog("File [%s]: Method [%s]: File Download Cancel Request received:"
++++++ LibVNCServer-CVE-2018-7225.patch ++++++
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
index 116c4889..4fc4d9d5 100644
--- a/libvncserver/rfbserver.c
+++ b/libvncserver/rfbserver.c
@@ -88,6 +88,8 @@
#include <errno.h>
/* strftime() */
#include <time.h>
+/* PRIu32 */
+#include <inttypes.h>
#ifdef LIBVNCSERVER_WITH_WEBSOCKETS
#include "rfbssl.h"
@@ -2575,7 +2577,23 @@ rfbProcessClientNormalMessage(rfbClientPtr cl)
msg.cct.length = Swap32IfLE(msg.cct.length);
- str = (char *)malloc(msg.cct.length);
+ /* uint32_t input is passed to malloc()'s size_t argument,
+ * to rfbReadExact()'s int argument, to rfbStatRecordMessageRcvd()'s int
+ * argument increased of sz_rfbClientCutTextMsg, and to setXCutText()'s
int
+ * argument. Here we impose a limit of 1 MB so that the value fits
+ * into all of the types to prevent from misinterpretation and thus
+ * from accessing uninitialized memory (CVE-2018-7225) and also to
+ * prevent from a denial-of-service by allocating to much memory in
+ * the server. */
+ if (msg.cct.length > 1<<20) {
+ rfbLog("rfbClientCutText: too big cut text length requested: %"
PRIu32 "\n",
+ msg.cct.length);
+ rfbCloseClient(cl);
+ return;
+ }
+
+ /* Allow zero-length client cut text. */
+ str = (char *)calloc(msg.cct.length ? msg.cct.length : 1, 1);
if (str == NULL) {
rfbLogPerror("rfbProcessClientNormalMessage: not enough
memory");
rfbCloseClient(cl);
++++++ LibVNCServer-CVE-2019-15681.patch ++++++
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
index 3bacc891..310e5487 100644
--- a/libvncserver/rfbserver.c
+++ b/libvncserver/rfbserver.c
@@ -3724,6 +3724,8 @@ rfbSendServerCutText(rfbScreenInfoPtr rfbScreen,char
*str, int len)
rfbServerCutTextMsg sct;
rfbClientIteratorPtr iterator;
+ memset((char *)&sct, 0, sizeof(sct));
+
iterator = rfbGetClientIterator(rfbScreen);
while ((cl = rfbClientIteratorNext(iterator)) != NULL) {
sct.type = rfbServerCutText;
++++++ LibVNCServer-CVE-2019-15690.patch ++++++
diff --git a/libvncclient/cursor.c b/libvncclient/cursor.c
index 67f45726..40ffb3b0 100644
--- a/libvncclient/cursor.c
+++ b/libvncclient/cursor.c
@@ -28,6 +28,8 @@
#define OPER_SAVE 0
#define OPER_RESTORE 1
+#define MAX_CURSOR_SIZE 1024
+
#define RGB24_TO_PIXEL(bpp,r,g,b) \
((((uint##bpp##_t)(r) & 0xFF) * client->format.redMax + 127) / 255
\
<< client->format.redShift | \
@@ -54,6 +56,9 @@ rfbBool HandleCursorShape(rfbClient* client,int xhot, int
yhot, int width, int h
if (width * height == 0)
return TRUE;
+ if (width >= MAX_CURSOR_SIZE || height >= MAX_CURSOR_SIZE)
+ return FALSE;
+
/* Allocate memory for pixel data and temporary mask data. */
if(client->rcSource)
free(client->rcSource);
++++++ LibVNCServer-CVE-2019-20788.patch ++++++
Index: libvncserver-LibVNCServer-0.9.12/libvncclient/rfbproto.c
===================================================================
--- libvncserver-LibVNCServer-0.9.12.orig/libvncclient/rfbproto.c
2019-01-06 20:09:30.000000000 +0100
+++ libvncserver-LibVNCServer-0.9.12/libvncclient/rfbproto.c 2020-04-27
10:32:26.192984242 +0200
@@ -225,6 +225,7 @@ ClearServer2Client(rfbClient* client, in
client->supportedMessages.server2client[((messageType & 0xFF)/8)] &=
(!(1<<(messageType % 8)));
}
+#define MAX_TEXTCHAT_SIZE 10485760 /* 10MB */
void
DefaultSupportedMessages(rfbClient* client)
@@ -2268,6 +2269,8 @@ HandleRFBServerMessage(rfbClient* client
client->HandleTextChat(client, (int)rfbTextChatFinished, NULL);
break;
default:
+ if(msg.tc.length > MAX_TEXTCHAT_SIZE)
+ return FALSE;
buffer=malloc(msg.tc.length+1);
if (!ReadFromRFBServer(client, buffer, msg.tc.length))
{
++++++ LibVNCServer-CVE-2019-20839.patch ++++++
Index: libvncserver-LibVNCServer-0.9.10/libvncclient/sockets.c
===================================================================
--- libvncserver-LibVNCServer-0.9.10.orig/libvncclient/sockets.c
2020-07-09 10:09:48.643818055 +0200
+++ libvncserver-LibVNCServer-0.9.10/libvncclient/sockets.c 2020-07-09
10:10:03.475905720 +0200
@@ -427,6 +427,10 @@ ConnectClientToUnixSock(const char *sock
int sock;
struct sockaddr_un addr;
addr.sun_family = AF_UNIX;
+ if(strlen(sockFile) + 1 > sizeof(addr.sun_path)) {
+ rfbClientErr("ConnectToUnixSock: socket file name too long\n");
+ return -1;
+ }
strcpy(addr.sun_path, sockFile);
sock = socket(AF_UNIX, SOCK_STREAM, 0);
++++++ LibVNCServer-CVE-2019-20840.patch ++++++
Index: libvncserver-LibVNCServer-0.9.10/libvncserver/websockets.c
===================================================================
--- libvncserver-LibVNCServer-0.9.10.orig/libvncserver/websockets.c
2020-07-09 10:00:41.160582292 +0200
+++ libvncserver-LibVNCServer-0.9.10/libvncserver/websockets.c 2020-07-09
10:02:54.881372618 +0200
@@ -880,7 +880,6 @@ hybiReadAndDecode(rfbClientPtr cl, char
int bufsize;
int nextRead;
unsigned char *data;
- uint32_t *data32;
ws_ctx_t *wsctx = (ws_ctx_t *)cl->wsctx;
/* if data was carried over, copy to start of buffer */
@@ -938,10 +937,12 @@ hybiReadAndDecode(rfbClientPtr cl, char
/* for a possible base64 decoding, we decode multiples of 4 bytes until
* the whole frame is received and carry over any remaining bytes in the
carry buf*/
data = (unsigned char *)hybiPayloadStart(wsctx);
- data32= (uint32_t *)data;
for (i = 0; i < (toDecode >> 2); i++) {
- data32[i] ^= wsctx->header.mask.u;
+ uint32_t tmp;
+ memcpy(&tmp, data + i * sizeof(tmp), sizeof(tmp));
+ tmp ^= wsctx->header.mask.u;
+ memcpy(data + i * sizeof(tmp), &tmp, sizeof(tmp));
}
rfbLog("mask decoding; i=%d toDecode=%d\n", i, toDecode);
++++++ LibVNCServer-CVE-2020-14397.patch ++++++
Index: libvncserver-LibVNCServer-0.9.10/libvncserver/rfbregion.c
===================================================================
--- libvncserver-LibVNCServer-0.9.10.orig/libvncserver/rfbregion.c
2014-10-21 17:57:11.000000000 +0200
+++ libvncserver-LibVNCServer-0.9.10/libvncserver/rfbregion.c 2020-07-08
09:11:51.130322073 +0200
@@ -50,24 +50,30 @@ sraSpanDup(const sraSpan *src) {
static void
sraSpanInsertAfter(sraSpan *newspan, sraSpan *after) {
- newspan->_next = after->_next;
- newspan->_prev = after;
- after->_next->_prev = newspan;
- after->_next = newspan;
+ if(newspan && after) {
+ newspan->_next = after->_next;
+ newspan->_prev = after;
+ after->_next->_prev = newspan;
+ after->_next = newspan;
+ }
}
static void
sraSpanInsertBefore(sraSpan *newspan, sraSpan *before) {
- newspan->_next = before;
- newspan->_prev = before->_prev;
- before->_prev->_next = newspan;
- before->_prev = newspan;
+ if(newspan && before) {
+ newspan->_next = before;
+ newspan->_prev = before->_prev;
+ before->_prev->_next = newspan;
+ before->_prev = newspan;
+ }
}
static void
sraSpanRemove(sraSpan *span) {
- span->_prev->_next = span->_next;
- span->_next->_prev = span->_prev;
+ if(span) {
+ span->_prev->_next = span->_next;
+ span->_next->_prev = span->_prev;
+ }
}
static void
Index: libvncserver-LibVNCServer-0.9.10/libvncserver/rfbserver.c
===================================================================
--- libvncserver-LibVNCServer-0.9.10.orig/libvncserver/rfbserver.c
2020-07-08 09:11:51.070321726 +0200
+++ libvncserver-LibVNCServer-0.9.10/libvncserver/rfbserver.c 2020-07-08
09:15:28.887592049 +0200
@@ -215,6 +215,8 @@ rfbClientIteratorHead(rfbClientIteratorP
rfbClientPtr
rfbClientIteratorNext(rfbClientIteratorPtr i)
{
+ if (!i)
+ return NULL;
if(i->next == 0) {
LOCK(rfbClientListMutex);
i->next = i->screen->clientHead;
@@ -239,7 +241,7 @@ rfbClientIteratorNext(rfbClientIteratorP
void
rfbReleaseClientIterator(rfbClientIteratorPtr iterator)
{
- IF_PTHREADS(if(iterator->next) rfbDecrClientRef(iterator->next));
+ IF_PTHREADS(if(iterator && iterator->next) rfbDecrClientRef(iterator->next));
free(iterator);
}
++++++ LibVNCServer-CVE-2020-14398.patch ++++++
Index: libvncserver-LibVNCServer-0.9.10/libvncclient/sockets.c
===================================================================
--- libvncserver-LibVNCServer-0.9.10.orig/libvncclient/sockets.c
2020-07-09 14:17:56.461707735 +0200
+++ libvncserver-LibVNCServer-0.9.10/libvncclient/sockets.c 2020-07-09
14:22:02.679183976 +0200
@@ -84,6 +84,12 @@ rfbBool errorMessageOnReadFailure = TRUE
rfbBool
ReadFromRFBServer(rfbClient* client, char *out, unsigned int n)
{
+ const int USECS_WAIT_PER_RETRY = 100000;
+ /* in the upstream commit, there is new rfbClient->readTimeout variable
+ and DEFAULT_READ_TIMEOUT defined instead
+
https://github.com/LibVNC/libvncserver/commit/57433015f856cc12753378254ce4f1c78f5d9c7b
*/
+ const int READ_TIMEOUT = 60;
+ int retries = 0;
#undef DEBUG_READ_EXACT
#ifdef DEBUG_READ_EXACT
char* oout=out;
@@ -165,10 +171,16 @@ ReadFromRFBServer(rfbClient* client, cha
errno=WSAGetLastError();
#endif
if (errno == EWOULDBLOCK || errno == EAGAIN) {
+ if (READ_TIMEOUT > 0 &&
+ ++retries > (READ_TIMEOUT * 1000 * 1000 / USECS_WAIT_PER_RETRY))
+ {
+ rfbClientLog("Connection timed out\n");
+ return FALSE;
+ }
/* TODO:
ProcessXtEvents();
*/
- WaitForMessage(client, 100000);
+ WaitForMessage(client, USECS_WAIT_PER_RETRY);
i = 0;
} else {
rfbClientErr("read (%d: %s)\n",errno,strerror(errno));
@@ -204,10 +216,16 @@ ReadFromRFBServer(rfbClient* client, cha
errno=WSAGetLastError();
#endif
if (errno == EWOULDBLOCK || errno == EAGAIN) {
+ if (READ_TIMEOUT > 0 &&
+ ++retries > (READ_TIMEOUT * 1000 * 1000 / USECS_WAIT_PER_RETRY))
+ {
+ rfbClientLog("Connection timed out\n");
+ return FALSE;
+ }
/* TODO:
ProcessXtEvents();
*/
- WaitForMessage(client, 100000);
+ WaitForMessage(client, USECS_WAIT_PER_RETRY);
i = 0;
} else {
rfbClientErr("read (%s)\n",strerror(errno));
++++++ LibVNCServer-CVE-2020-14399.patch ++++++
>From 23e5cbe6b090d7f22982aee909a6a618174d3c2d Mon Sep 17 00:00:00 2001
From: Tobias Junghans <[email protected]>
Date: Wed, 27 May 2020 11:47:00 +0200
Subject: [PATCH] libvncclient: fix pointer aliasing/alignment issue
Accessing byte-aligned data through uint32_t pointers can cause crashes
on some platforms or reduce the performance. Therefore ensure a proper
stack alignment.
---
libvncclient/rfbproto.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
index cd2a297e..6f6d6704 100644
--- a/libvncclient/rfbproto.c
+++ b/libvncclient/rfbproto.c
@@ -1151,10 +1151,13 @@ rfbBool
SetFormatAndEncodings(rfbClient* client)
{
rfbSetPixelFormatMsg spf;
- char buf[sz_rfbSetEncodingsMsg + MAX_ENCODINGS * 4];
+ union {
+ char bytes[sz_rfbSetEncodingsMsg + MAX_ENCODINGS*4];
+ rfbSetEncodingsMsg msg;
+ } buf;
- rfbSetEncodingsMsg *se = (rfbSetEncodingsMsg *)buf;
- uint32_t *encs = (uint32_t *)(&buf[sz_rfbSetEncodingsMsg]);
+ rfbSetEncodingsMsg *se = &buf.msg;
+ uint32_t *encs = (uint32_t *)(&buf.bytes[sz_rfbSetEncodingsMsg]);
int len = 0;
rfbBool requestCompressLevel = FALSE;
rfbBool requestQualityLevel = FALSE;
@@ -1354,7 +1357,7 @@ SetFormatAndEncodings(rfbClient* client)
se->nEncodings = rfbClientSwap16IfLE(se->nEncodings);
- if (!WriteToRFBServer(client, buf, len)) return FALSE;
+ if (!WriteToRFBServer(client, buf.bytes, len)) return FALSE;
return TRUE;
}
++++++ LibVNCServer-CVE-2020-14400.patch ++++++
diff --git a/libvncserver/translate.c b/libvncserver/translate.c
index 7c341c2a..7e6d3d8e 100644
--- a/libvncserver/translate.c
+++ b/libvncserver/translate.c
@@ -360,9 +360,12 @@ rfbSetTranslateFunction(rfbClientPtr cl)
static rfbBool
rfbSetClientColourMapBGR233(rfbClientPtr cl)
{
- char buf[sz_rfbSetColourMapEntriesMsg + 256 * 3 * 2];
- rfbSetColourMapEntriesMsg *scme = (rfbSetColourMapEntriesMsg *)buf;
- uint16_t *rgb = (uint16_t *)(&buf[sz_rfbSetColourMapEntriesMsg]);
+ union {
+ char bytes[sz_rfbSetColourMapEntriesMsg + 256 * 3 * 2];
+ rfbSetColourMapEntriesMsg msg;
+ } buf;
+ rfbSetColourMapEntriesMsg *scme = &buf.msg;
+ uint16_t *rgb = (uint16_t *)(&buf.bytes[sz_rfbSetColourMapEntriesMsg]);
int i, len;
int r, g, b;
@@ -394,7 +397,7 @@ rfbSetClientColourMapBGR233(rfbClientPtr cl)
len += 256 * 3 * 2;
- if (rfbWriteExact(cl, buf, len) < 0) {
+ if (rfbWriteExact(cl, buf.bytes, len) < 0) {
rfbLogPerror("rfbSetClientColourMapBGR233: write");
rfbCloseClient(cl);
return FALSE;
++++++ LibVNCServer-CVE-2020-14401.patch ++++++
Index: libvncserver-LibVNCServer-0.9.10/libvncserver/scale.c
===================================================================
--- libvncserver-LibVNCServer-0.9.10.orig/libvncserver/scale.c 2014-10-21
17:57:11.000000000 +0200
+++ libvncserver-LibVNCServer-0.9.10/libvncserver/scale.c 2020-07-08
09:03:00.967250625 +0200
@@ -215,7 +215,7 @@ void rfbScaledScreenUpdateRect(rfbScreen
default:
/* fixme: endianess problem? */
for (z = 0; z < bytesPerPixel; z++)
- pixel_value += (srcptr2[z] << (8 * z));
+ pixel_value += ((unsigned long)srcptr2[z] << (8 * z));
break;
}
/*
++++++ LibVNCServer-CVE-2020-14402,14403,14404.patch ++++++
diff --git a/libvncserver/corre.c b/libvncserver/corre.c
index 8a845ea9..86ab99a6 100644
--- a/libvncserver/corre.c
+++ b/libvncserver/corre.c
@@ -233,7 +233,7 @@ subrectEncode##bpp(rfbClientPtr client, uint##bpp##_t
*data, int w, int h) {
seg = data+(j*w); \
if (seg[x] != cl) {break;} \
i = x; \
- while ((seg[i] == cl) && (i < w)) i += 1; \
+ while ((i < w) && (seg[i] == cl)) i += 1; \
i -= 1; \
if (j == y) vx = hx = i; \
if (i < vx) vx = i; \
diff --git a/libvncserver/hextile.c b/libvncserver/hextile.c
index 52920d88..6e1bf82e 100644
--- a/libvncserver/hextile.c
+++ b/libvncserver/hextile.c
@@ -224,7 +224,7 @@ subrectEncode##bpp(rfbClientPtr cl, uint##bpp##_t *data,
int w, int h,
seg = data+(j*w);
\
if (seg[x] != cl2) {break;}
\
i = x;
\
- while ((seg[i] == cl2) && (i < w)) i += 1;
\
+ while ((i < w) && (seg[i] == cl2)) i += 1;
\
i -= 1;
\
if (j == y) vx = hx = i;
\
if (i < vx) vx = i;
\
diff --git a/libvncserver/rre.c b/libvncserver/rre.c
index 2103153c..4a65682f 100644
--- a/libvncserver/rre.c
+++ b/libvncserver/rre.c
@@ -200,7 +200,7 @@ static int
\
seg = data+(j*w); \
if (seg[x] != cl) {break;} \
i = x; \
- while ((seg[i] == cl) && (i < w)) i += 1; \
+ while ((i < w) && (seg[i] == cl)) i += 1; \
i -= 1; \
if (j == y) vx = hx = i; \
if (i < vx) vx = i; \
++++++ baselibs.conf ++++++
LibVNCServer
++++++ libvncserver-0.9.1-multilib.patch ++++++
diff -up LibVNCServer-0.9.1/libvncserver-config.in.multilib
LibVNCServer-0.9.1/libvncserver-config.in
--- LibVNCServer-0.9.1/libvncserver-config.in.multilib 2007-05-26
21:28:25.000000000 -0500
+++ LibVNCServer-0.9.1/libvncserver-config.in 2008-01-22 14:51:08.000000000
-0600
@@ -4,7 +4,6 @@ prefix=@prefix@
exec_prefix=@exec_prefix@
exec_prefix_set=no
includedir=@includedir@
-libdir=@libdir@
# if this script is in the same directory as libvncserver-config.in, assume
not installed
if [ -f "`dirname "$0"`/libvncserver-config.in" ]; then
@@ -63,7 +62,7 @@ while test $# -gt 0; do
libs="$libs -R$dir"
fi
done
- echo "$libs" -lvncserver -lvncclient @LIBS@ @WSOCKLIB@
+ echo "$libs" -lvncserver -lvncclient
;;
--link)
echo @CC@
++++++ libvncserver-0.9.10-ossl.patch ++++++
--- libvncclient/tls_openssl.c.orig
+++ libvncclient/tls_openssl.c
@@ -18,9 +18,11 @@
* USA.
*/
+#include "rfbconfig.h"
#include <rfb/rfbclient.h>
#include <errno.h>
-
+#define OPENSSL_LOAD_CONF
+#define OPENSSL_NO_SSL_INTERN
#include <openssl/err.h>
#include <openssl/ssl.h>
#include <openssl/x509.h>
@@ -162,7 +164,7 @@ InitializeTLS(void)
CRYPTO_set_dynlock_destroy_callback(dyn_destroy_function);
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
- RAND_load_file("/dev/urandom", 1024);
+ if(RAND_status() == 0) RAND_load_file("/dev/urandom", 1024);
rfbClientLog("OpenSSL initialized.\n");
rfbTLSInitialized = TRUE;
@@ -185,7 +187,7 @@ ssl_verify (int ok, X509_STORE_CTX *ctx)
ssl = X509_STORE_CTX_get_ex_data (ctx, SSL_get_ex_data_X509_STORE_CTX_idx
());
- client = SSL_CTX_get_app_data (ssl->ctx);
+ client = SSL_CTX_get_app_data (SSL_get_SSL_CTX(ssl));
cert = X509_STORE_CTX_get_current_cert (ctx);
err = X509_STORE_CTX_get_error (ctx);
@@ -265,6 +267,10 @@ open_ssl_connection (rfbClient *client,
int n, finished = 0;
ssl_ctx = SSL_CTX_new (SSLv23_client_method ());
+#ifdef SSL_MODE_RELEASE_BUFFERS
+ SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
+#endif
+ SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
SSL_CTX_set_default_verify_paths (ssl_ctx);
SSL_CTX_set_verify (ssl_ctx, SSL_VERIFY_NONE, &ssl_verify);
ssl = SSL_new (ssl_ctx);
@@ -284,8 +290,8 @@ open_ssl_connection (rfbClient *client,
if (wait_for_data(ssl, n, 1) != 1)
{
finished = 1;
- if (ssl->ctx)
- SSL_CTX_free (ssl->ctx);
+ if (SSL_get_SSL_CTX(ssl))
+ SSL_CTX_free (SSL_get_SSL_CTX(ssl));
SSL_free(ssl);
SSL_shutdown (ssl);
--- libvncserver/rfbssl_openssl.c.orig
+++ libvncserver/rfbssl_openssl.c
@@ -21,7 +21,10 @@
* USA.
*/
+#include "rfbconfig.h"
#include "rfbssl.h"
+#define OPENSSL_LOAD_CONF
+#define OPENSSL_NO_SSL_INTERN
#include <openssl/ssl.h>
#include <openssl/err.h>
++++++ libvncserver-0.9.10-use-namespaced-rfbMax-macro.patch ++++++
>From 53cc1fa18a3b96d2c31a145d971017564fca39bb Mon Sep 17 00:00:00 2001
From: Rex Dieter <[email protected]>
Date: Thu, 18 Feb 2016 08:29:07 -0600
Subject: [PATCH] use namespaced rfbMax macro (issue #102)
Not using generic 'max', avoids conflicts with stl_algobase.h
---
libvncclient/listen.c | 9 +++------
libvncserver/httpd.c | 2 +-
libvncserver/rfbserver.c | 2 +-
libvncserver/sockets.c | 8 ++++----
rfb/rfbproto.h | 2 +-
5 files changed, 10 insertions(+), 13 deletions(-)
diff --git a/libvncclient/listen.c b/libvncclient/listen.c
index 739cd9f..e989d6a 100644
--- a/libvncclient/listen.c
+++ b/libvncclient/listen.c
@@ -30,9 +30,6 @@
#ifdef WIN32
#define close closesocket
#include <winsock2.h>
-#ifdef _MINGW32
-#undef max
-#endif // #ifdef _MINGW32
#else // #ifdef WIN32
#include <sys/wait.h>
#include <sys/utsname.h>
@@ -99,7 +96,7 @@ listenForIncomingConnections(rfbClient* client)
if(listen6Socket >= 0)
FD_SET(listen6Socket, &fds);
- r = select(max(listenSocket, listen6Socket)+1, &fds, NULL, NULL, NULL);
+ r = select(rfbMax(listenSocket, listen6Socket)+1, &fds, NULL, NULL, NULL);
if (r > 0) {
if (FD_ISSET(listenSocket, &fds))
@@ -195,9 +192,9 @@ listenForIncomingConnectionsNoFork(rfbClient* client, int
timeout)
FD_SET(client->listen6Sock, &fds);
if (timeout < 0)
- r = select(max(client->listenSock, client->listen6Sock) +1, &fds, NULL,
NULL, NULL);
+ r = select(rfbMax(client->listenSock, client->listen6Sock) +1, &fds, NULL,
NULL, NULL);
else
- r = select(max(client->listenSock, client->listen6Sock) +1, &fds, NULL,
NULL, &to);
+ r = select(rfbMax(client->listenSock, client->listen6Sock) +1, &fds, NULL,
NULL, &to);
if (r > 0)
{
diff --git a/libvncserver/httpd.c b/libvncserver/httpd.c
index 2a778e7..236ab3e 100644
--- a/libvncserver/httpd.c
+++ b/libvncserver/httpd.c
@@ -192,7 +192,7 @@ rfbHttpCheckFds(rfbScreenInfoPtr rfbScreen)
}
tv.tv_sec = 0;
tv.tv_usec = 0;
- nfds = select(max(rfbScreen->httpListen6Sock,
max(rfbScreen->httpSock,rfbScreen->httpListenSock)) + 1, &fds, NULL, NULL, &tv);
+ nfds = select(rfbMax(rfbScreen->httpListen6Sock,
rfbMax(rfbScreen->httpSock,rfbScreen->httpListenSock)) + 1, &fds, NULL, NULL,
&tv);
if (nfds == 0) {
return;
}
diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
index 34e1c06..68c2de5 100644
--- a/libvncserver/rfbserver.c
+++ b/libvncserver/rfbserver.c
@@ -369,7 +369,7 @@ rfbNewTCPOrUDPClient(rfbScreenInfoPtr rfbScreen,
}
FD_SET(sock,&(rfbScreen->allFds));
- rfbScreen->maxFd = max(sock,rfbScreen->maxFd);
+ rfbScreen->maxFd = rfbMax(sock,rfbScreen->maxFd);
INIT_MUTEX(cl->outputMutex);
INIT_MUTEX(cl->refCountMutex);
diff --git a/libvncserver/sockets.c b/libvncserver/sockets.c
index f21f162..aaef14b 100644
--- a/libvncserver/sockets.c
+++ b/libvncserver/sockets.c
@@ -193,7 +193,7 @@ rfbInitSockets(rfbScreenInfoPtr rfbScreen)
rfbLog("Autoprobing selected TCP6 port %d\n", rfbScreen->ipv6port);
FD_SET(rfbScreen->listen6Sock, &(rfbScreen->allFds));
- rfbScreen->maxFd = max((int)rfbScreen->listen6Sock,rfbScreen->maxFd);
+ rfbScreen->maxFd = rfbMax((int)rfbScreen->listen6Sock,rfbScreen->maxFd);
#endif
}
else
@@ -220,7 +220,7 @@ rfbInitSockets(rfbScreenInfoPtr rfbScreen)
rfbLog("Listening for VNC connections on TCP6 port %d\n",
rfbScreen->ipv6port);
FD_SET(rfbScreen->listen6Sock, &(rfbScreen->allFds));
- rfbScreen->maxFd = max((int)rfbScreen->listen6Sock,rfbScreen->maxFd);
+ rfbScreen->maxFd = rfbMax((int)rfbScreen->listen6Sock,rfbScreen->maxFd);
}
#endif
@@ -236,7 +236,7 @@ rfbInitSockets(rfbScreenInfoPtr rfbScreen)
rfbLog("Listening for VNC connections on TCP port %d\n",
rfbScreen->port);
FD_SET(rfbScreen->udpSock, &(rfbScreen->allFds));
- rfbScreen->maxFd = max((int)rfbScreen->udpSock,rfbScreen->maxFd);
+ rfbScreen->maxFd = rfbMax((int)rfbScreen->udpSock,rfbScreen->maxFd);
}
}
@@ -563,7 +563,7 @@ rfbConnect(rfbScreenInfoPtr rfbScreen,
/* AddEnabledDevice(sock); */
FD_SET(sock, &rfbScreen->allFds);
- rfbScreen->maxFd = max(sock,rfbScreen->maxFd);
+ rfbScreen->maxFd = rfbMax(sock,rfbScreen->maxFd);
return sock;
}
diff --git a/rfb/rfbproto.h b/rfb/rfbproto.h
index 8e607e5..bb6bfa5 100644
--- a/rfb/rfbproto.h
+++ b/rfb/rfbproto.h
@@ -93,8 +93,8 @@
#define strncasecmp _strnicmp
#endif
+#define rfbMax(a,b) (((a)>(b))?(a):(b))
#if !defined(WIN32) || defined(__MINGW32__)
-#define max(a,b) (((a)>(b))?(a):(b))
#ifdef LIBVNCSERVER_HAVE_SYS_TIME_H
#include <sys/time.h>
#endif
++++++ libvncserver-byteswap.patch ++++++
--- rfb/rfb.h.orig
+++ rfb/rfb.h
@@ -711,19 +711,18 @@ typedef struct _rfbClientRec {
((cl)->enableCursorPosUpdates && (cl)->cursorWasMoved) || \
!sraRgnEmpty((cl)->copyRegion) || !sraRgnEmpty((cl)->modifiedRegion))
+#include <byteswap.h>
/*
* Macros for endian swapping.
*/
-#define Swap16(s) ((((s) & 0xff) << 8) | (((s) >> 8) & 0xff))
+#define Swap16(s) bswap_16(s)
#define Swap24(l) ((((l) & 0xff) << 16) | (((l) >> 16) & 0xff) | \
(((l) & 0x00ff00)))
-#define Swap32(l) (((l) >> 24) | \
- (((l) & 0x00ff0000) >> 8) | \
- (((l) & 0x0000ff00) << 8) | \
- ((l) << 24))
+#define Swap32(l) bswap_32(l)
+
extern char rfbEndianTest;
--- rfb/rfbclient.h.orig
+++ rfb/rfbclient.h
@@ -38,25 +38,16 @@
#include <unistd.h>
#include <rfb/rfbproto.h>
#include <rfb/keysym.h>
+#include <byteswap.h>
#define rfbClientSwap16IfLE(s) \
- (*(char *)&client->endianTest ? ((((s) & 0xff) << 8) | (((s) >> 8) &
0xff)) : (s))
+ (*(char *)&client->endianTest ? (bswap_16(s)) : (s))
#define rfbClientSwap32IfLE(l) \
- (*(char *)&client->endianTest ? ((((l) & 0xff000000) >> 24) | \
- (((l) & 0x00ff0000) >> 8) | \
- (((l) & 0x0000ff00) << 8) | \
- (((l) & 0x000000ff) << 24)) : (l))
+ (*(char *)&client->endianTest ? (bswap_32(l)) : (l))
#define rfbClientSwap64IfLE(l) \
- (*(char *)&client->endianTest ? ((((l) & 0xff00000000000000ULL) >> 56) | \
- (((l) & 0x00ff000000000000ULL) >> 40) | \
- (((l) & 0x0000ff0000000000ULL) >> 24) | \
- (((l) & 0x000000ff00000000ULL) >> 8) | \
- (((l) & 0x00000000ff000000ULL) << 8) | \
- (((l) & 0x0000000000ff0000ULL) << 24) | \
- (((l) & 0x000000000000ff00ULL) << 40) | \
- (((l) & 0x00000000000000ffULL) << 56)) : (l))
+ (*(char *)&client->endianTest ? (bswap_64(l)): (l))
#define FLASH_PORT_OFFSET 5400
#define LISTEN_PORT_OFFSET 5500
++++++ redef-keysym.patch ++++++
Index: LibVNCServer-0.8.2/rfb/keysym.h
===================================================================
--- LibVNCServer-0.8.2.orig/rfb/keysym.h
+++ LibVNCServer-0.8.2/rfb/keysym.h
@@ -50,15 +50,29 @@ SOFTWARE.
******************************************************************/
/* default keysyms */
-#define XK_MISCELLANY
-#define XK_XKB_KEYS
-#define XK_LATIN1
-#define XK_LATIN2
-#define XK_LATIN3
-#define XK_LATIN4
-#define XK_GREEK
+#ifndef XK_MISCELLANY
+# define _XK_MISCELLANY
+#endif
+#ifndef XK_XKB_KEYS
+# define _XK_XKB_KEYS
+#endif
+#ifndef XK_LATIN1
+# define _XK_LATIN1
+#endif
+#ifndef XK_LATIN2
+# define _XK_LATIN2
+#endif
+#ifndef XK_LATIN3
+# define _XK_LATIN3
+#endif
+#ifndef XK_LATIN4
+# define _XK_LATIN4
+#endif
+#ifndef XK_GREEK
+# define _XK_GREEK
+#endif
/* $TOG: keysymdef.h /main/25 1997/06/21 10:54:51 kaleb $ */
/***********************************************************
@@ -110,11 +124,13 @@ ARISING OUT OF OR IN CONNECTION WITH THE
SOFTWARE.
******************************************************************/
-#define XK_VoidSymbol 0xFFFFFF /* void symbol */
+#ifndef XK_VoidSymbol
+# define XK_VoidSymbol 0xFFFFFF /* void symbol */
+#endif
-#ifdef XK_MISCELLANY
+#ifdef _XK_MISCELLANY
/*
* TTY Functions, cleverly chosen to map to ascii, for convenience of
* programming, but could have been arbitrary (at the cost of lookup
* tables in client code.
@@ -330,9 +346,9 @@ SOFTWARE.
* ISO 9995 Function and Modifier Keys
* Byte 3 = 0xFE
*/
-#ifdef XK_XKB_KEYS
+#ifdef _XK_XKB_KEYS
#define XK_ISO_Lock 0xFE01
#define XK_ISO_Level2_Latch 0xFE02
#define XK_ISO_Level3_Shift 0xFE03
#define XK_ISO_Level3_Latch 0xFE04
@@ -445,9 +461,9 @@ SOFTWARE.
* 3270 Terminal Keys
* Byte 3 = 0xFD
*/
-#ifdef XK_3270
+#ifdef _XK_3270
#define XK_3270_Duplicate 0xFD01
#define XK_3270_FieldMark 0xFD02
#define XK_3270_Right2 0xFD03
#define XK_3270_Left2 0xFD04
@@ -482,9 +498,9 @@ SOFTWARE.
/*
* Latin 1
* Byte 3 = 0
*/
-#ifdef XK_LATIN1
+#ifdef _XK_LATIN1
#define XK_space 0x020
#define XK_exclam 0x021
#define XK_quotedbl 0x022
#define XK_numbersign 0x023
@@ -686,9 +702,9 @@ SOFTWARE.
* Latin 2
* Byte 3 = 1
*/
-#ifdef XK_LATIN2
+#ifdef _XK_LATIN2
#define XK_Aogonek 0x1a1
#define XK_breve 0x1a2
#define XK_Lstroke 0x1a3
#define XK_Lcaron 0x1a5
@@ -751,9 +767,9 @@ SOFTWARE.
* Latin 3
* Byte 3 = 2
*/
-#ifdef XK_LATIN3
+#ifdef _XK_LATIN3
#define XK_Hstroke 0x2a1
#define XK_Hcircumflex 0x2a6
#define XK_Iabovedot 0x2a9
#define XK_Gbreve 0x2ab
@@ -782,9 +798,9 @@ SOFTWARE.
* Latin 4
* Byte 3 = 3
*/
-#ifdef XK_LATIN4
+#ifdef _XK_LATIN4
#define XK_kra 0x3a2
#define XK_kappa 0x3a2 /* deprecated */
#define XK_Rcedilla 0x3a3
#define XK_Itilde 0x3a5
@@ -826,9 +842,9 @@ SOFTWARE.
* Katakana
* Byte 3 = 4
*/
-#ifdef XK_KATAKANA
+#ifdef _XK_KATAKANA
#define XK_overline 0x47e
#define XK_kana_fullstop 0x4a1
#define XK_kana_openingbracket 0x4a2
#define XK_kana_closingbracket 0x4a3
@@ -904,9 +920,9 @@ SOFTWARE.
* Arabic
* Byte 3 = 5
*/
-#ifdef XK_ARABIC
+#ifdef _XK_ARABIC
#define XK_Arabic_comma 0x5ac
#define XK_Arabic_semicolon 0x5bb
#define XK_Arabic_question_mark 0x5bf
#define XK_Arabic_hamza 0x5c1
@@ -961,9 +977,9 @@ SOFTWARE.
/*
* Cyrillic
* Byte 3 = 6
*/
-#ifdef XK_CYRILLIC
+#ifdef _XK_CYRILLIC
#define XK_Serbian_dje 0x6a1
#define XK_Macedonia_gje 0x6a2
#define XK_Cyrillic_io 0x6a3
#define XK_Ukrainian_ie 0x6a4
@@ -1076,9 +1092,9 @@ SOFTWARE.
* Greek
* Byte 3 = 7
*/
-#ifdef XK_GREEK
+#ifdef _XK_GREEK
#define XK_Greek_ALPHAaccent 0x7a1
#define XK_Greek_EPSILONaccent 0x7a2
#define XK_Greek_ETAaccent 0x7a3
#define XK_Greek_IOTAaccent 0x7a4
@@ -1158,9 +1174,9 @@ SOFTWARE.
* Technical
* Byte 3 = 8
*/
-#ifdef XK_TECHNICAL
+#ifdef _XK_TECHNICAL
#define XK_leftradical 0x8a1
#define XK_topleftradical 0x8a2
#define XK_horizconnector 0x8a3
#define XK_topintegral 0x8a4
@@ -1215,9 +1231,9 @@ SOFTWARE.
* Special
* Byte 3 = 9
*/
-#ifdef XK_SPECIAL
+#ifdef _XK_SPECIAL
#define XK_blank 0x9df
#define XK_soliddiamond 0x9e0
#define XK_checkerboard 0x9e1
#define XK_ht 0x9e2
@@ -1247,9 +1263,9 @@ SOFTWARE.
* Publishing
* Byte 3 = a
*/
-#ifdef XK_PUBLISHING
+#ifdef _XK_PUBLISHING
#define XK_emspace 0xaa1
#define XK_enspace 0xaa2
#define XK_em3space 0xaa3
#define XK_em4space 0xaa4
@@ -1338,9 +1354,9 @@ SOFTWARE.
* APL
* Byte 3 = b
*/
-#ifdef XK_APL
+#ifdef _XK_APL
#define XK_leftcaret 0xba3
#define XK_rightcaret 0xba6
#define XK_downcaret 0xba8
#define XK_upcaret 0xba9
@@ -1365,9 +1381,9 @@ SOFTWARE.
* Hebrew
* Byte 3 = c
*/
-#ifdef XK_HEBREW
+#ifdef _XK_HEBREW
#define XK_hebrew_doublelowline 0xcdf
#define XK_hebrew_aleph 0xce0
#define XK_hebrew_bet 0xce1
#define XK_hebrew_beth 0xce1 /* deprecated */
@@ -1413,9 +1429,9 @@ SOFTWARE.
* Thai
* Byte 3 = d
*/
-#ifdef XK_THAI
+#ifdef _XK_THAI
#define XK_Thai_kokai 0xda1
#define XK_Thai_khokhai 0xda2
#define XK_Thai_khokhuat 0xda3
#define XK_Thai_khokhwai 0xda4
@@ -1505,9 +1521,9 @@ SOFTWARE.
* Korean
* Byte 3 = e
*/
-#ifdef XK_KOREAN
+#ifdef _XK_KOREAN
#define XK_Hangul 0xff31 /* Hangul start/stop(toggle) */
#define XK_Hangul_Start 0xff32 /* Hangul start */
#define XK_Hangul_End 0xff33 /* Hangul end, English start */
