Description: Check malloc() return value (CVE-2014-6053) Check malloc() return value on client->server ClientCutText message. Client can send up to 2**32-1 bytes of text, and such a large allocation is likely to fail in case of high memory pressure. This would in a server crash (write at address 0). Origin: https://github.com/newsoft/libvncserver/commit/6037a9074d52b1963c97cb28ea1096c7c14cbf28 --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ --- a/server/libvncserver/rfbserver.c +++ b/server/libvncserver/rfbserver.c @@ -851,6 +851,11 @@ msg.cct.length = Swap32IfLE(msg.cct.length); str = (char *)malloc(msg.cct.length); + if (str == NULL) { + rfbLogPerror("rfbProcessClientNormalMessage: not enough memory"); + rfbCloseClient(cl); + return; + } if ((n = ReadExact(cl, str, msg.cct.length)) <= 0) { if (n != 0)