From 883aa45bd858cd06f932c9a064f99c23e1c666df Mon Sep 17 00:00:00 2001 From: Packit Date: Aug 19 2020 14:45:03 +0000 Subject: Apply patch Fixed-CVE-2020-11521-Out-of-bounds-write-in-planar-c.patch patch_name: Fixed-CVE-2020-11521-Out-of-bounds-write-in-planar-c.patch location_in_specfile: 1 present_in_specfile: true --- diff --git a/libfreerdp/codec/planar.c b/libfreerdp/codec/planar.c index 98f2495..34c48d7 100644 --- a/libfreerdp/codec/planar.c +++ b/libfreerdp/codec/planar.c @@ -42,10 +42,9 @@ static INLINE BYTE* freerdp_bitmap_planar_delta_encode_plane( static INLINE INT32 planar_skip_plane_rle(const BYTE* pSrcData, UINT32 SrcSize, UINT32 nWidth, UINT32 nHeight) { + UINT32 used = 0; UINT32 x, y; BYTE controlByte; - const BYTE* pRLE = pSrcData; - const BYTE* pEnd = &pSrcData[SrcSize]; for (y = 0; y < nHeight; y++) { @@ -54,10 +53,10 @@ static INLINE INT32 planar_skip_plane_rle(const BYTE* pSrcData, UINT32 SrcSize, int cRawBytes; int nRunLength; - if (pRLE >= pEnd) + if (used >= SrcSize) return -1; - controlByte = *pRLE++; + controlByte = pSrcData[used++]; nRunLength = PLANAR_CONTROL_BYTE_RUN_LENGTH(controlByte); cRawBytes = PLANAR_CONTROL_BYTE_RAW_BYTES(controlByte); @@ -72,19 +71,21 @@ static INLINE INT32 planar_skip_plane_rle(const BYTE* pSrcData, UINT32 SrcSize, cRawBytes = 0; } - pRLE += cRawBytes; + used += cRawBytes; x += cRawBytes; x += nRunLength; if (x > nWidth) return -1; - if (pRLE > pEnd) + if (used > SrcSize) return -1; } } - return (INT32)(pRLE - pSrcData); + if (used > INT32_MAX) + return -1; + return (INT32)used; } static INLINE INT32 planar_decompress_plane_rle(const BYTE* pSrcData, UINT32 SrcSize, diff --git a/libfreerdp/core/orders.c b/libfreerdp/core/orders.c index 9f3489f..e44f0de 100644 --- a/libfreerdp/core/orders.c +++ b/libfreerdp/core/orders.c @@ -1961,6 +1961,9 @@ static CACHE_BITMAP_ORDER* update_read_cache_bitmap_order(rdpUpdate* update, wSt } } + if (cache_bitmap->bitmapLength == 0) + goto fail; + if (Stream_GetRemainingLength(s) < cache_bitmap->bitmapLength) goto fail; @@ -2095,6 +2098,9 @@ static CACHE_BITMAP_V2_ORDER* update_read_cache_bitmap_v2_order(rdpUpdate* updat } } + if (cache_bitmap_v2->bitmapLength == 0) + goto fail; + if (Stream_GetRemainingLength(s) < cache_bitmap_v2->bitmapLength) goto fail;