libvncclient/cursor.c in LibVNCServer through 0.9.12 has a HandleCursorShape integer overflow and heap-based buffer overflow via a large height or width value. NOTE: this may overlap CVE-2019-15690.
{ "vanir_signatures": [ { "source": "https://github.com/libvnc/libvncserver/commit/54220248886b5001fbbb9fa73c4e1a2cb9413fed", "digest": { "length": 2878.0, "function_hash": "166509097659370788785687778228924176187" }, "target": { "file": "libvncclient/cursor.c", "function": "HandleCursorShape" }, "signature_version": "v1", "deprecated": false, "signature_type": "Function", "id": "CVE-2019-20788-189abd97" }, { "source": "https://github.com/libvnc/libvncserver/commit/54220248886b5001fbbb9fa73c4e1a2cb9413fed", "digest": { "line_hashes": [ "102057262279662452688778988803141241357", "175955773102106351237323041340518821685", "240545567691954465949188256110399956644", "204796747639085440341262894639991613085" ], "threshold": 0.9 }, "target": { "file": "libvncclient/cursor.c" }, "signature_version": "v1", "deprecated": false, "signature_type": "Line", "id": "CVE-2019-20788-36246abd" } ] }