From b62b942e805cdfdfd1e71ec752c08091d4c3229f Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Mon, 30 Mar 2020 18:05:17 +0200
Subject: [PATCH] Fix CVE-2020-11524: out of bounds access in interleaved

Thanks to Sunglin and HuanGMz from Knownsec 404
---
 libfreerdp/codec/include/bitmap.c | 4 ++++
 libfreerdp/codec/interleaved.c    | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/libfreerdp/codec/include/bitmap.c b/libfreerdp/codec/include/bitmap.c
index 602d1b333..734ed136d 100644
--- a/libfreerdp/codec/include/bitmap.c
+++ b/libfreerdp/codec/include/bitmap.c
@@ -338,6 +338,10 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer,
 			case MEGA_MEGA_COLOR_IMAGE:
 				runLength = ExtractRunLength(code, pbSrc, &advance);
 				pbSrc = pbSrc + advance;
+
+				if (!ENSURE_CAPACITY(pbDest, pbDestEnd, runLength))
+					return FALSE;
+
 				UNROLL(runLength,
 				{
 					SRCREADPIXEL(temp, pbSrc);
diff --git a/libfreerdp/codec/interleaved.c b/libfreerdp/codec/interleaved.c
index a3fe7dd3f..0d36e9b9f 100644
--- a/libfreerdp/codec/interleaved.c
+++ b/libfreerdp/codec/interleaved.c
@@ -215,7 +215,7 @@ static INLINE BOOL ensure_capacity(const BYTE* start, const BYTE* end, size_t si
 {
 	const size_t available = (uintptr_t)end - (uintptr_t)start;
 	const BOOL rc = available >= size * base;
-	return rc;
+	return rc && (start <= end);
 }
 
 static INLINE void write_pixel_8(BYTE* _buf, BYTE _pix)
-- 
2.26.2