libvncclient/cursor.c in LibVNCServer through 0.9.12 has a HandleCursorShape integer overflow and heap-based buffer overflow via a large height or width value. NOTE: this may overlap CVE-2019-15690.
Reference and upstream commit:
Created libvncserver tracking bugs for this issue:
Affects: epel-7 [bug 1829872]
Affects: fedora-all [bug 1829871]
*** This bug has been marked as a duplicate of bug 1811948 ***
This flaw was found to be a duplicate of CVE-2019-15690. Please see https://access.redhat.com/security/cve/CVE-2019-15690 for information about affected products and security errata.