VNC RRE Parser skips over data
Summary
The RRE Parser skips over 2 bytes, therefore parsing the rectangle wrong.
Steps to reproduce
Listen to VNC traffic that contains a RRE encoded rectangle.
What is the current bug behavior?
The parser skips 2 bytes, causing the background color and following bytes being parsed wrong. The skip: https://gitlab.com/wireshark/wireshark/-/blob/master/epan/dissectors/packet-vnc.c#L2361
What is the expected correct behavior?
The background color should follow directly after the number of subrectangles. See the header: https://www.rfc-editor.org/rfc/rfc6143#section-7.7.3 (or https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#rre-encoding)
UltraVNC implementation: https://github.com/ultravnc/UltraVNC/blob/main/vncviewer/ClientConnectionRRE.cpp
Sample capture file
vncRRE.pcapng Filter by vnc and then look for the framebufferupdate packet (no 54)
Relevant logs and/or screenshots
Background color should be 00000000.
Instead those are bytes are used as the bg color
Build information
Version 4.0.4 (v4.0.4-0-gea14d468d9ca).
Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.32, build 31332),
with GLib 2.72.3, with PCRE2, with zlib 1.2.12, with Qt 5.15.2, with libpcap,
with Lua 5.2.4, with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.10.1, with
Kerberos (MIT), with MaxMind, with nghttp2 1.46.0, with brotli, with LZ4, with
Zstandard, with Snappy, with libxml2 2.9.14, with libsmi 0.4.8, with
QtMultimedia, with automatic updates using WinSparkle 0.5.7, with AirPcap, with
SpeexDSP (using bundled resampler), with Minizip, with binary plugins.
Running on 64-bit Windows 10 (21H2), build 19044, with Intel(R) Core(TM) i5-4570
CPU @ 3.20GHz (with SSE4.2), with 16290 MB of physical memory, with GLib 2.72.3,
with PCRE2 10.40 2022-04-14, with Qt 5.15.2, with Npcap version 1.71, based on
libpcap version 1.10.2-PRE-GIT, with c-ares 1.18.1, with GnuTLS 3.6.3, with
Gcrypt 1.10.1, with nghttp2 1.46.0, with brotli 1.0.9, with LZ4 1.9.3, with
Zstandard 1.5.2, without AirPcap, with light display mode, without HiDPI, with
LC_TYPE=German_Germany.utf8, binary plugins supported.