From d9f3c98918912de94af033fbab9578188ad46cf7 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Mon, 30 Mar 2020 18:18:12 +0200
Subject: [PATCH] Fixed CVE-2020-11521: Out of bounds write in planar codec.
Thanks to Sunglin and HuanGMz from Knownsec 404
---
libfreerdp/codec/planar.c | 15 ++++++++-------
libfreerdp/core/orders.c | 6 ++++++
2 files changed, 14 insertions(+), 7 deletions(-)
diff --git a/libfreerdp/codec/planar.c b/libfreerdp/codec/planar.c
index 98f2495e2..34c48d786 100644
--- a/libfreerdp/codec/planar.c
+++ b/libfreerdp/codec/planar.c
@@ -42,10 +42,9 @@ static INLINE BYTE* freerdp_bitmap_planar_delta_encode_plane(
static INLINE INT32 planar_skip_plane_rle(const BYTE* pSrcData, UINT32 SrcSize,
UINT32 nWidth, UINT32 nHeight)
{
+ UINT32 used = 0;
UINT32 x, y;
BYTE controlByte;
- const BYTE* pRLE = pSrcData;
- const BYTE* pEnd = &pSrcData[SrcSize];
for (y = 0; y < nHeight; y++)
{
@@ -54,10 +53,10 @@ static INLINE INT32 planar_skip_plane_rle(const BYTE* pSrcData, UINT32 SrcSize,
int cRawBytes;
int nRunLength;
- if (pRLE >= pEnd)
+ if (used >= SrcSize)
return -1;
- controlByte = *pRLE++;
+ controlByte = pSrcData[used++];
nRunLength = PLANAR_CONTROL_BYTE_RUN_LENGTH(controlByte);
cRawBytes = PLANAR_CONTROL_BYTE_RAW_BYTES(controlByte);
@@ -72,19 +71,21 @@ static INLINE INT32 planar_skip_plane_rle(const BYTE* pSrcData, UINT32 SrcSize,
cRawBytes = 0;
}
- pRLE += cRawBytes;
+ used += cRawBytes;
x += cRawBytes;
x += nRunLength;
if (x > nWidth)
return -1;
- if (pRLE > pEnd)
+ if (used > SrcSize)
return -1;
}
}
- return (INT32)(pRLE - pSrcData);
+ if (used > INT32_MAX)
+ return -1;
+ return (INT32)used;
}
static INLINE INT32 planar_decompress_plane_rle(const BYTE* pSrcData, UINT32 SrcSize,
diff --git a/libfreerdp/core/orders.c b/libfreerdp/core/orders.c
index 9f3489f17..e44f0dead 100644
--- a/libfreerdp/core/orders.c
+++ b/libfreerdp/core/orders.c
@@ -1961,6 +1961,9 @@ static CACHE_BITMAP_ORDER* update_read_cache_bitmap_order(rdpUpdate* update, wSt
}
}
+ if (cache_bitmap->bitmapLength == 0)
+ goto fail;
+
if (Stream_GetRemainingLength(s) < cache_bitmap->bitmapLength)
goto fail;
@@ -2095,6 +2098,9 @@ static CACHE_BITMAP_V2_ORDER* update_read_cache_bitmap_v2_order(rdpUpdate* updat
}
}
+ if (cache_bitmap_v2->bitmapLength == 0)
+ goto fail;
+
if (Stream_GetRemainingLength(s) < cache_bitmap_v2->bitmapLength)
goto fail;
--
2.26.2