From e38dd7e00e7f9653adfb3420b2b61ee9fba81e31 Mon Sep 17 00:00:00 2001
From: Tim Waugh <twaugh@redhat.com>
Date: Mar 19 2014 12:32:52 +0000
Subject: Fixed heap-based buffer overflow (CVE-2014-0011, bug #1050928).


Resolves: rhbz#1050928

---

diff --git a/tigervnc-CVE-2014-0011.patch b/tigervnc-CVE-2014-0011.patch
new file mode 100644
index 0000000..0075720
--- /dev/null
+++ b/tigervnc-CVE-2014-0011.patch
@@ -0,0 +1,49 @@
+diff -up tigervnc-1.3.0/common/CMakeLists.txt.CVE-2014-0011 tigervnc-1.3.0/common/CMakeLists.txt
+--- tigervnc-1.3.0/common/CMakeLists.txt.CVE-2014-0011	2013-07-01 13:42:01.000000000 +0100
++++ tigervnc-1.3.0/common/CMakeLists.txt	2014-02-04 16:59:10.840037314 +0000
+@@ -23,3 +23,6 @@ if(CMAKE_COMPILER_IS_GNUCXX AND (CMAKE_S
+     set_target_properties(zlib PROPERTIES COMPILE_FLAGS -fPIC)
+   endif()
+ endif()
++
++# Turn asserts on.
++set_target_properties(rdr rfb PROPERTIES COMPILE_FLAGS -UNDEBUG)
+diff -up tigervnc-1.3.0/common/rfb/zrleDecode.h.CVE-2014-0011 tigervnc-1.3.0/common/rfb/zrleDecode.h
+--- tigervnc-1.3.0/common/rfb/zrleDecode.h.CVE-2014-0011	2013-07-01 13:41:59.000000000 +0100
++++ tigervnc-1.3.0/common/rfb/zrleDecode.h	2014-02-04 16:17:00.881565540 +0000
+@@ -25,9 +25,10 @@
+ // FILL_RECT          - fill a rectangle with a single colour
+ // IMAGE_RECT         - draw a rectangle of pixel data from a buffer
+ 
++#include <stdio.h>
+ #include <rdr/InStream.h>
+ #include <rdr/ZlibInStream.h>
+-#include <assert.h>
++#include <rfb/Exception.h>
+ 
+ namespace rfb {
+ 
+@@ -143,7 +144,10 @@ void ZRLE_DECODE (const Rect& r, rdr::In
+               len += b;
+             } while (b == 255);
+ 
+-            assert(len <= end - ptr);
++	    if (end - ptr < len) {
++	      fprintf (stderr, "ZRLE decode error\n");
++	      throw Exception ("ZRLE decode error");
++	    }
+ 
+ #ifdef FAVOUR_FILL_RECT
+             int i = ptr - buf;
+@@ -193,7 +197,10 @@ void ZRLE_DECODE (const Rect& r, rdr::In
+                 len += b;
+               } while (b == 255);
+ 
+-              assert(len <= end - ptr);
++	      if (end - ptr < len) {
++		fprintf (stderr, "ZRLE decode error\n");
++		throw Exception ("ZRLE decode error");
++	      }
+             }
+ 
+             index &= 127;
diff --git a/tigervnc.spec b/tigervnc.spec
index cf999e5..60d3415 100644
--- a/tigervnc.spec
+++ b/tigervnc.spec
@@ -1,6 +1,6 @@
 Name:		tigervnc
 Version:	1.3.0
-Release:	13%{?dist}
+Release:	14%{?dist}
 Summary:	A TigerVNC remote display system
 
 Group:		User Interface/Desktops
@@ -50,6 +50,7 @@ Patch10:	tigervnc-1.3.0-xserver-1.15.patch
 Patch11:	tigervnc-format-security.patch
 Patch12:	tigervnc-zrle-crash.patch
 Patch13:	tigervnc-cursor.patch
+Patch14:	tigervnc-CVE-2014-0011.patch
 
 %description
 Virtual Network Computing (VNC) is a remote display system which
@@ -183,6 +184,9 @@ popd
 # Fixed viewer crash when cursor has not been set (bug #1038701).
 %patch13 -p1 -b .cursor
 
+# Fixed heap-based buffer overflow (CVE-2014-0011, bug #1050928).
+%patch14 -p1 -b .CVE-2014-0011
+
 %build
 %ifarch sparcv9 sparc64 s390 s390x
 export CFLAGS="$RPM_OPT_FLAGS -fPIC"
@@ -355,6 +359,9 @@ fi
 %{_datadir}/icons/hicolor/*/apps/*
 
 %changelog
+* Wed Mar 19 2014 Tim Waugh <twaugh@redhat.com> 1.3.0-14
+- Fixed heap-based buffer overflow (CVE-2014-0011, bug #1050928).
+
 * Mon Feb 10 2014 Tim Waugh <twaugh@redhat.com> 1.3.0-13
 - Clearer xstartup file (bug #923655).