Commit Graph

156 Commits

Author SHA1 Message Date
Pierre Ossman
1d5aaf54f8 Add sanity checks for PixelFormat shift values
Otherwise we might be tricked in to reading and writing things at
incorrect offsets for pixels which ultimately could result in an
attacker writing things to the stack or heap and executing things
they shouldn't.

This only affects the server as the client never uses the pixel
format suggested by th server.

Issue found by Pavel Cheremushkin from Kaspersky Lab.
2020-09-21 12:47:56 +03:00
Pierre Ossman
9f7abaea3a Fix depth sanity test in PixelFormat 2020-09-21 12:47:22 +03:00
Pierre Ossman
1224cbdc21 Handle empty Tight gradient rects
We always assumed there would be one pixel per row so a rect with
a zero width would result in us writing to unknown memory.

This could theoretically be used by a malicious server to inject
code in to the viewer process.

Issue found by Pavel Cheremushkin from Kaspersky Lab.
2020-09-21 12:46:27 +03:00
Pierre Ossman
6a3f711878 Add write protection to OffsetPixelBuffer
No one should every try to write to this buffer. Enforce that by
throwing an exception if any one tries to get a writeable pointer
to the data.
2020-09-21 12:45:51 +03:00
Pierre Ossman
3282836baf Make ZlibInStream more robust against failures
Move the checks around to avoid missing cases where we might access
memory that is no longer valid. Also avoid touching the underlying
stream implicitly (e.g. via the destructor) as it might also no
longer be valid.

A malicious server could theoretically use this for remote code
execution in the client.

Issue found by Pavel Cheremushkin from Kaspersky Lab
2020-09-21 12:40:12 +03:00
matt
408c005d3e Initial commit 2020-09-20 12:16:44 +00:00