From 1c2678d2c7121bd8f1b51c4947283a9d16fe0ccc Mon Sep 17 00:00:00 2001 From: Packit Date: Aug 19 2020 14:45:03 +0000 Subject: Apply patch Fix-CVE-2020-11524-out-of-bounds-access-in-interleav.patch patch_name: Fix-CVE-2020-11524-out-of-bounds-access-in-interleav.patch location_in_specfile: 3 present_in_specfile: true --- diff --git a/libfreerdp/codec/include/bitmap.c b/libfreerdp/codec/include/bitmap.c index 602d1b3..734ed13 100644 --- a/libfreerdp/codec/include/bitmap.c +++ b/libfreerdp/codec/include/bitmap.c @@ -338,6 +338,10 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, case MEGA_MEGA_COLOR_IMAGE: runLength = ExtractRunLength(code, pbSrc, &advance); pbSrc = pbSrc + advance; + + if (!ENSURE_CAPACITY(pbDest, pbDestEnd, runLength)) + return FALSE; + UNROLL(runLength, { SRCREADPIXEL(temp, pbSrc); diff --git a/libfreerdp/codec/interleaved.c b/libfreerdp/codec/interleaved.c index a3fe7dd..0d36e9b 100644 --- a/libfreerdp/codec/interleaved.c +++ b/libfreerdp/codec/interleaved.c @@ -215,7 +215,7 @@ static INLINE BOOL ensure_capacity(const BYTE* start, const BYTE* end, size_t si { const size_t available = (uintptr_t)end - (uintptr_t)start; const BOOL rc = available >= size * base; - return rc; + return rc && (start <= end); } static INLINE void write_pixel_8(BYTE* _buf, BYTE _pix)