From ea53eccd653704d75dcaea8982586abebb8378ec Mon Sep 17 00:00:00 2001 From: Packit Date: Aug 19 2020 14:45:03 +0000 Subject: Apply patch Fix-CVE-2020-11523-clamp-invalid-rectangles-to-size-.patch patch_name: Fix-CVE-2020-11523-clamp-invalid-rectangles-to-size-.patch location_in_specfile: 2 present_in_specfile: true --- diff --git a/libfreerdp/gdi/region.c b/libfreerdp/gdi/region.c index d3b28b5..1ffbf79 100644 --- a/libfreerdp/gdi/region.c +++ b/libfreerdp/gdi/region.c @@ -37,6 +37,19 @@ #define TAG FREERDP_TAG("gdi.region") +static char* gdi_rect_str(char* buffer, size_t size, const HGDI_RECT rect) +{ + if (!buffer || (size < 1) || !rect) + return NULL; + + _snprintf(buffer, size - 1, + "[top/left=%" PRId32 "x%" PRId32 "-bottom/right%" PRId32 "x%" PRId32 "]", rect->top, + rect->left, rect->bottom, rect->right); + buffer[size - 1] = '\0'; + + return buffer; +} + /** * Create a region from rectangular coordinates.\n * @msdn{dd183514} @@ -134,10 +147,29 @@ INLINE void gdi_RectToCRgn(const HGDI_RECT rect, INT32* x, INT32* y, INT32* w, INT32* h) { + INT64 tmp; *x = rect->left; *y = rect->top; - *w = rect->right - rect->left + 1; - *h = rect->bottom - rect->top + 1; + tmp = rect->right - rect->left + 1; + if ((tmp < 0) || (tmp > INT32_MAX)) + { + char buffer[256]; + WLog_ERR(TAG, "[%s] rectangle invalid %s", __FUNCTION__, + gdi_rect_str(buffer, sizeof(buffer), rect)); + *w = 0; + } + else + *w = tmp; + tmp = rect->bottom - rect->top + 1; + if ((tmp < 0) || (tmp > INT32_MAX)) + { + char buffer[256]; + WLog_ERR(TAG, "[%s] rectangle invalid %s", __FUNCTION__, + gdi_rect_str(buffer, sizeof(buffer), rect)); + *h = 0; + } + else + *h = tmp; } /**