ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255)

A wrong exit condition may lead to an infinite loop when inflating a valid zlib buffer containing some extra bytes in the `inflate_buffer` function. The bug only occurs post-authentication. Return the buffer immediately if the end of the compressed data has been reached (Z_STREAM_END). Fixes: CVE-2023-3255 Fixes: 0bf41cab ("ui/vnc: clipboard support") Reported-by: Kevin Denis <kevin.denis@synacktiv.com> Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Tested-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-ID: <20230704084210.101822-1-mcascell@redhat.com>
3 years ago · d921fea338
1 changed files with 4 additions and 6 deletions
--- a/ui/vnc-clipboard.c
+++ b/ui/vnc-clipboard.c
@ -50,8 +50,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size)
        ret = inflate(&stream, Z_FINISH);
        switch (ret) {
        case Z_OK:
-        case Z_STREAM_END:
            break;
+        case Z_STREAM_END:
+            *size = stream.total_out;
+            inflateEnd(&stream);
+            return out;
        case Z_BUF_ERROR:
            out_len <<= 1;
            if (out_len > (1 << 20)) {
@ -66,11 +69,6 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size)
        }
    }

-    *size = stream.total_out;
-    inflateEnd(&stream);
-
-    return out;
-
 err_end:
    inflateEnd(&stream);
 err: