Fix potential memory corruption in libvncclient.

Fixes (maybe amongst others) the following oCERT report ([oCERT-2014-008]):

LibVNCServer HandleRFBServerMessage rfbServerCutText malicious msg.sct.length

It looks like there may be a chance for potential memory corruption when a LibVNCServer client attempts to process a Server Cut Text message.

  case rfbServerCutText:
  {
    char *buffer;

    if (!ReadFromRFBServer(client, ((char *)&msg) + 1,
			   sz_rfbServerCutTextMsg - 1))
      return FALSE;

    msg.sct.length = rfbClientSwap32IfLE(msg.sct.length); << Retrieve malicious length

    buffer = malloc(msg.sct.length+1); << Allocate buffer. Can return 0x0

    if (!ReadFromRFBServer(client, buffer, msg.sct.length)) << Attempt to write to buffer
      return FALSE;

    buffer[msg.sct.length] = 0; << Attempt to write to buffer

    if (client->GotXCutText)
      client->GotXCutText(client, buffer, msg.sct.length); << Attempt to write to buffer

    free(buffer);

    break;
  }

If a message is provided with an extremely large size it is possible to cause the malloc to fail, further leading to an attempt to write 0x0.

1 files changed, 7 insertions, 0 deletions

diff --git a/libvncclient/sockets.c b/libvncclient/sockets.c
index e50ef0e..c09b555 100644
--- a/libvncclient/sockets.c
+++ b/libvncclient/sockets.c
@@ -90,6 +90,13 @@ ReadFromRFBServer(rfbClient* client, char *out, unsigned int n)
 	int nn=n;
 	rfbClientLog("ReadFromRFBServer %d bytes\n",n);
 #endif
+
+  /* Handle attempts to write to NULL out buffer that might occur
+     when an outside malloc() fails. For instance, memcpy() to NULL
+     results in undefined behaviour and probably memory corruption.*/
+  if(!out)
+    return FALSE;
+
   if (client->serverPort==-1) {
     /* vncrec playing */
     rfbVNCRec* rec = client->vncRec;