Description
The function rfbSendSetColourMapEntries contains a pointer aliasing and memory alignment issue. This issue may lead to crashes or performance degradation on certain platforms, such as those requiring strict memory alignment (e.g., ARM architectures).
Location
File Path: src/libvncserver/rfbserver.c
Function Name: rfbSendSetColourMapEntries
Code Snippet:
char buf[sz_rfbSetColourMapEntriesMsg + 256 * 3 * 2];
char *wbuf = buf;
rfbSetColourMapEntriesMsg *scme;
uint16_t *rgb;
if (nColours > 256) {
wbuf = (char *) malloc(sz_rfbSetColourMapEntriesMsg + nColours * 3 * 2);
}
scme = (rfbSetColourMapEntriesMsg *)wbuf;
rgb = (uint16_t *)(&wbuf[sz_rfbSetColourMapEntriesMsg]);Impact
Pointer Aliasing Issue:
The code uses a char array and casts it to rfbSetColourMapEntriesMsg and uint16_t pointers. This may result in unaligned memory access.
Fix
Referencing the patch file commit.patch, the issue can be resolved by:
- Using a
union to replace the char array and avoid unsafe typecasting.
- Ensuring proper memory alignment for all accesses.
Ref
This is similar to CVE-2020-14400.
Link: 53073c8
Description
The function
rfbSendSetColourMapEntriescontains a pointer aliasing and memory alignment issue. This issue may lead to crashes or performance degradation on certain platforms, such as those requiring strict memory alignment (e.g., ARM architectures).Location
File Path:
src/libvncserver/rfbserver.cFunction Name:
rfbSendSetColourMapEntriesCode Snippet:
Impact
Pointer Aliasing Issue:
The code uses a
chararray and casts it torfbSetColourMapEntriesMsganduint16_tpointers. This may result in unaligned memory access.Fix
Referencing the patch file
commit.patch, the issue can be resolved by:unionto replace thechararray and avoid unsafe typecasting.Ref
This is similar to CVE-2020-14400.
Link: 53073c8