Server hangs permanently if Mirage mirror driver returns counter >= 20000 (2.8.87)

Brought to you by: anton19286, const_k, crazy-walrus

#1663 Server hangs permanently if Mirage mirror driver returns counter >= 20000 (2.8.87)

Status: open

Owner: nobody

Labels: Server (9) Win32 (10)

Priority: 6

Updated: 1 day ago

Created: 1 day ago

Creator: Securin Disclose

Private: No

MirrorScreenDriver::execute() (desktop/MirrorScreenDriver.cpp:170-172):

for (unsigned long i = m_lastCounter; i != currentCounter;
     i++, i %= MAXCHANGES_BUF)

MAXCHANGES_BUF=20000. After i%=20000, i is always in [0,19999].
If the driver gives counter=25000, i never equals 25000 -> infinite loop.
Loop holds AutoLock(m_fbMutex) -> all encoder/update threads deadlock.

Secondary: m_lastCounter stored unclamped (line 180). Next call: i starts
at 25000; changesBuf->pointrect[25000] accessed before modulo step ->
out-of-bounds on the 20000-element array.

Attached PoC runs the exact loop logic: counter=25000 does not exit in
200 000 iterations (confirmed timeout). OOB index 25000>=20000 confirmed.

Fix: currentCounter %= MAXCHANGES_BUF immediately after reading it.
Version: 2.8.87.

Server hangs permanently if Mirage mirror driver returns counter >= 20000 (2.8.87)

Group

Searches

Help

#1663 Server hangs permanently if Mirage mirror driver returns counter >= 20000 (2.8.87)

Discussion