libvncclient: add bounds checks to UltraZip subrectangle parsing

y637F9QQ2x · bk138 · commit 009008e2f4d5 · 2026-03-22T20:35:49.000+01:00
HandleUltraZipBPP() iterates over sub-rectangles using numCacheRects
(derived from the attacker-controlled rect.r.x) without validating
that the pointer stays within the decompressed data buffer. A malicious
server can set a large numCacheRects value, causing heap out-of-bounds
reads via the memcpy calls in the parsing loop.

Add bounds checks before reading the 12-byte subrect header and before
advancing the pointer by the raw pixel data size. Use uint64_t for the
raw data size calculation to prevent integer overflow on 32-bit platforms.
diff --git a/src/libvncclient/ultra.c b/src/libvncclient/ultra.c
@@ -126,6 +126,7 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh)
   int toRead=0;
   int inflateResult=0;
   unsigned char *ptr=NULL;
+  unsigned char *ptr_end=NULL;
   lzo_uint uncompressedBytes = ry + (rw * 65535);
   unsigned int numCacheRects = rx;
 
@@ -194,11 +195,18 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh)
   
   /* Put the uncompressed contents of the update on the screen. */
   ptr = (unsigned char *)client->raw_buffer;
+  ptr_end = ptr + uncompressedBytes;
   for (i=0; i<numCacheRects; i++)
   {
     unsigned short sx, sy, sw, sh;
     unsigned int se;
 
+    /* subrect header: sx(2) + sy(2) + sw(2) + sh(2) + se(4) = 12 bytes */
+    if (ptr + 12 > ptr_end) {
+      rfbClientLog("UltraZip: subrect %d header exceeds decompressed data bounds\n", i);
+      return FALSE;
+    }
+
     memcpy((char *)&sx, ptr, 2); ptr += 2;
     memcpy((char *)&sy, ptr, 2); ptr += 2;
     memcpy((char *)&sw, ptr, 2); ptr += 2;
@@ -213,12 +221,18 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh)
 
     if (se == rfbEncodingRaw)
     {
+        uint64_t rawBytes = (uint64_t)sw * sh * (BPP / 8);
+        if (rawBytes > (size_t)(ptr_end - ptr)) {
+          rfbClientLog("UltraZip: subrect %d raw data exceeds decompressed data bounds\n", i);
+          return FALSE;
+        }
         client->GotBitmap(client, (unsigned char *)ptr, sx, sy, sw, sh);
-        ptr += ((sw * sh) * (BPP / 8));
+        ptr += (size_t)rawBytes;
     }
   }  
 
   return TRUE;
 }
 
 #undef CARDBPP
+
