mirror of
https://github.com/kasmtech/KasmVNC.git
synced 2024-11-28 19:14:14 +01:00
Add sanity checks for PixelFormat shift values
Otherwise we might be tricked in to reading and writing things at incorrect offsets for pixels which ultimately could result in an attacker writing things to the stack or heap and executing things they shouldn't. This only affects the server as the client never uses the pixel format suggested by th server. Issue found by Pavel Cheremushkin from Kaspersky Lab.
This commit is contained in:
parent
9f7abaea3a
commit
1d5aaf54f8
@ -681,6 +681,13 @@ bool PixelFormat::isSane(void)
|
|||||||
if (totalBits > depth)
|
if (totalBits > depth)
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
|
if ((bits(redMax) + redShift) > bpp)
|
||||||
|
return false;
|
||||||
|
if ((bits(greenMax) + greenShift) > bpp)
|
||||||
|
return false;
|
||||||
|
if ((bits(blueMax) + blueShift) > bpp)
|
||||||
|
return false;
|
||||||
|
|
||||||
if (((redMax << redShift) & (greenMax << greenShift)) != 0)
|
if (((redMax << redShift) & (greenMax << greenShift)) != 0)
|
||||||
return false;
|
return false;
|
||||||
if (((redMax << redShift) & (blueMax << blueShift)) != 0)
|
if (((redMax << redShift) & (blueMax << blueShift)) != 0)
|
||||||
|
Loading…
Reference in New Issue
Block a user