rpms / freerdp

Clone
Source Code
GIT

Files

  1.   b460d25e1ca378c6321e1a9b9a5a331e22f3c0da
  2.   SOURCES
  3.   Fixed-CVE-2020-11521-Out-of-bounds-write-in-planar-c.patch
Blob Blame History Raw 
From d9f3c98918912de94af033fbab9578188ad46cf7 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Mon, 30 Mar 2020 18:18:12 +0200
Subject: [PATCH] Fixed CVE-2020-11521: Out of bounds write in planar codec.

Thanks to Sunglin and HuanGMz from Knownsec 404
---
 libfreerdp/codec/planar.c | 15 ++++++++-------
 libfreerdp/core/orders.c  |  6 ++++++
 2 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/libfreerdp/codec/planar.c b/libfreerdp/codec/planar.c
index 98f2495e2..34c48d786 100644
--- a/libfreerdp/codec/planar.c
+++ b/libfreerdp/codec/planar.c
@@ -42,10 +42,9 @@ static INLINE BYTE* freerdp_bitmap_planar_delta_encode_plane(
 static INLINE INT32 planar_skip_plane_rle(const BYTE* pSrcData, UINT32 SrcSize,
         UINT32 nWidth, UINT32 nHeight)
 {
+	UINT32 used = 0;
 	UINT32 x, y;
 	BYTE controlByte;
-	const BYTE* pRLE = pSrcData;
-	const BYTE* pEnd = &pSrcData[SrcSize];
 
 	for (y = 0; y < nHeight; y++)
 	{
@@ -54,10 +53,10 @@ static INLINE INT32 planar_skip_plane_rle(const BYTE* pSrcData, UINT32 SrcSize,
 			int cRawBytes;
 			int nRunLength;
 
-			if (pRLE >= pEnd)
+			if (used >= SrcSize)
 				return -1;
 
-			controlByte = *pRLE++;
+			controlByte = pSrcData[used++];
 			nRunLength = PLANAR_CONTROL_BYTE_RUN_LENGTH(controlByte);
 			cRawBytes = PLANAR_CONTROL_BYTE_RAW_BYTES(controlByte);
 
@@ -72,19 +71,21 @@ static INLINE INT32 planar_skip_plane_rle(const BYTE* pSrcData, UINT32 SrcSize,
 				cRawBytes = 0;
 			}
 
-			pRLE += cRawBytes;
+			used += cRawBytes;
 			x += cRawBytes;
 			x += nRunLength;
 
 			if (x > nWidth)
 				return -1;
 
-			if (pRLE > pEnd)
+			if (used > SrcSize)
 				return -1;
 		}
 	}
 
-	return (INT32)(pRLE - pSrcData);
+	if (used > INT32_MAX)
+		return -1;
+	return (INT32)used;
 }
 
 static INLINE INT32 planar_decompress_plane_rle(const BYTE* pSrcData, UINT32 SrcSize,
diff --git a/libfreerdp/core/orders.c b/libfreerdp/core/orders.c
index 9f3489f17..e44f0dead 100644
--- a/libfreerdp/core/orders.c
+++ b/libfreerdp/core/orders.c
@@ -1961,6 +1961,9 @@ static CACHE_BITMAP_ORDER* update_read_cache_bitmap_order(rdpUpdate* update, wSt
 		}
 	}
 
+	if (cache_bitmap->bitmapLength == 0)
+		goto fail;
+
 	if (Stream_GetRemainingLength(s) < cache_bitmap->bitmapLength)
 		goto fail;
 
@@ -2095,6 +2098,9 @@ static CACHE_BITMAP_V2_ORDER* update_read_cache_bitmap_v2_order(rdpUpdate* updat
 		}
 	}
 
+	if (cache_bitmap_v2->bitmapLength == 0)
+		goto fail;
+
 	if (Stream_GetRemainingLength(s) < cache_bitmap_v2->bitmapLength)
 		goto fail;
 
-- 
2.26.2

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation