Check for MallocFrameBuffer() return value

If MallocFrameBuffer() returns FALSE, frame buffer pointer is left to NULL. Subsequent writes into that buffer could lead to memory corruption, or even arbitrary code execution.
author: newsoft <newsoft@MacBook-Air-de-newsoft-2.local> 2014-08-15 16:41:58 +0200
committer: newsoft <newsoft@MacBook-Air-de-newsoft-2.local> 2014-08-15 16:41:58 +0200
commit: 85a778c0e45e87e35ee7199f1f25020648e8b812 (patch)
tree: 67f488e08d6bd6a89390c2840d96dd6ca909bcae
parent: 045a044e8ae79db9244593fbce154cdf6e843273 (diff)
download: libvncserver-85a778c0e45e87e35ee7199f1f25020648e8b812.zip
libvncserver-85a778c0e45e87e35ee7199f1f25020648e8b812.tar.gz
2 files changed, 9 insertions, 4 deletions
diff --git a/libvncclient/rfbproto.c b/libvncclient/rfbproto.c
index b4d7156..f55c74f 100644
--- a/libvncclient/rfbproto.c
+++ b/libvncclient/rfbproto.c
@@ -1829,7 +1829,8 @@ HandleRFBServerMessage(rfbClient* client)
 	client->updateRect.x = client->updateRect.y = 0;
 	client->updateRect.w = client->width;
 	client->updateRect.h = client->height;
-	client->MallocFrameBuffer(client);
+  if (!client->MallocFrameBuffer(client))
+    return FALSE;
 	SendFramebufferUpdateRequest(client, 0, 0, rect.r.w, rect.r.h, FALSE);
 	rfbClientLog("Got new framebuffer size: %dx%d\n", rect.r.w, rect.r.h);
 	continue;
@@ -2290,7 +2291,9 @@ HandleRFBServerMessage(rfbClient* client)
     client->updateRect.x = client->updateRect.y = 0;
     client->updateRect.w = client->width;
     client->updateRect.h = client->height;
-    client->MallocFrameBuffer(client);
+    if (!client->MallocFrameBuffer(client))
+      return FALSE;
+
     SendFramebufferUpdateRequest(client, 0, 0, client->width, client->height, FALSE);
     rfbClientLog("Got new framebuffer size: %dx%d\n", client->width, client->height);
     break;
@@ -2306,7 +2309,8 @@ HandleRFBServerMessage(rfbClient* client)
     client->updateRect.x = client->updateRect.y = 0;
     client->updateRect.w = client->width;
     client->updateRect.h = client->height;
-    client->MallocFrameBuffer(client);
+    if (!client->MallocFrameBuffer(client))
+      return FALSE;
     SendFramebufferUpdateRequest(client, 0, 0, client->width, client->height, FALSE);
     rfbClientLog("Got new framebuffer size: %dx%d\n", client->width, client->height);
     break;
diff --git a/libvncclient/vncviewer.c b/libvncclient/vncviewer.c
index 24bc6f8..65b7412 100644
--- a/libvncclient/vncviewer.c
+++ b/libvncclient/vncviewer.c
@@ -250,7 +250,8 @@ static rfbBool rfbInitConnection(rfbClient* client)
 
   client->width=client->si.framebufferWidth;
   client->height=client->si.framebufferHeight;
-  client->MallocFrameBuffer(client);
+  if (!client->MallocFrameBuffer(client))
+    return FALSE;
 
   if (!SetFormatAndEncodings(client))
     return FALSE;
author	newsoft <newsoft@MacBook-Air-de-newsoft-2.local>	2014-08-15 16:41:58 +0200
committer	newsoft <newsoft@MacBook-Air-de-newsoft-2.local>	2014-08-15 16:41:58 +0200
commit	85a778c0e45e87e35ee7199f1f25020648e8b812 (patch)
tree	67f488e08d6bd6a89390c2840d96dd6ca909bcae
parent	045a044e8ae79db9244593fbce154cdf6e843273 (diff)
download	libvncserver-85a778c0e45e87e35ee7199f1f25020648e8b812.zip libvncserver-85a778c0e45e87e35ee7199f1f25020648e8b812.tar.gz