diff --git a/meta-oe/recipes-graphics/libvncserver/libvncserver/CVE-2026-32853.patch b/meta-oe/recipes-graphics/libvncserver/libvncserver/CVE-2026-32853.patch new file mode 100644 index 0000000000..be426932db --- /dev/null +++ b/meta-oe/recipes-graphics/libvncserver/libvncserver/CVE-2026-32853.patch @@ -0,0 +1,76 @@ +From 24cac3821d1665a4ed0501e6056925ef9ee53b99 Mon Sep 17 00:00:00 2001 +From: Kazuma Matsumoto <269371721+y637F9QQ2x@users.noreply.github.com> +Date: Sun, 22 Mar 2026 20:35:49 +0100 +Subject: [PATCH] libvncclient: add bounds checks to UltraZip subrectangle + parsing + +HandleUltraZipBPP() iterates over sub-rectangles using numCacheRects +(derived from the attacker-controlled rect.r.x) without validating +that the pointer stays within the decompressed data buffer. A malicious +server can set a large numCacheRects value, causing heap out-of-bounds +reads via the memcpy calls in the parsing loop. + +Add bounds checks before reading the 12-byte subrect header and before +advancing the pointer by the raw pixel data size. Use uint64_t for the +raw data size calculation to prevent integer overflow on 32-bit platforms. + +(cherry picked from commit 009008e2f4d5a54dd71f422070df3af7b3dbc931) + +CVE: CVE-2026-32853 +Upstream-Status: Backport [https://github.com/LibVNC/libvncserver/commit/009008e2f4d5a54dd71f422070df3af7b3dbc931] +Signed-off-by: Ankur Tyagi +--- + libvncclient/ultra.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/libvncclient/ultra.c b/libvncclient/ultra.c +index 1d3aaba6..5633b8cb 100644 +--- a/libvncclient/ultra.c ++++ b/libvncclient/ultra.c +@@ -126,6 +126,7 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh) + int toRead=0; + int inflateResult=0; + unsigned char *ptr=NULL; ++ unsigned char *ptr_end=NULL; + lzo_uint uncompressedBytes = ry + (rw * 65535); + unsigned int numCacheRects = rx; + +@@ -194,11 +195,18 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh) + + /* Put the uncompressed contents of the update on the screen. */ + ptr = (unsigned char *)client->raw_buffer; ++ ptr_end = ptr + uncompressedBytes; + for (i=0; i ptr_end) { ++ rfbClientLog("UltraZip: subrect %d header exceeds decompressed data bounds\n", i); ++ return FALSE; ++ } ++ + memcpy((char *)&sx, ptr, 2); ptr += 2; + memcpy((char *)&sy, ptr, 2); ptr += 2; + memcpy((char *)&sw, ptr, 2); ptr += 2; +@@ -213,8 +221,13 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh) + + if (se == rfbEncodingRaw) + { ++ uint64_t rawBytes = (uint64_t)sw * sh * (BPP / 8); ++ if (rawBytes > (size_t)(ptr_end - ptr)) { ++ rfbClientLog("UltraZip: subrect %d raw data exceeds decompressed data bounds\n", i); ++ return FALSE; ++ } + client->GotBitmap(client, (unsigned char *)ptr, sx, sy, sw, sh); +- ptr += ((sw * sh) * (BPP / 8)); ++ ptr += (size_t)rawBytes; + } + } + +@@ -222,3 +235,4 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh) + } + + #undef CARDBPP ++ diff --git a/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb b/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb index 6f271ee0d3..11efd7cc0f 100644 --- a/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb +++ b/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb @@ -44,7 +44,9 @@ FILES:libvncclient = "${libdir}/libvncclient.*" inherit cmake pkgconfig -SRC_URI = "git://github.com/LibVNC/libvncserver;branch=master;protocol=https" +SRC_URI = "git://github.com/LibVNC/libvncserver;branch=master;protocol=https \ + file://CVE-2026-32853.patch \ +" SRCREV = "10e9eb75f73e973725dc75c373de5d89807af028" S = "${WORKDIR}/git"