From 0c73eee42134140a4ee207a256278c5812ef64ff Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Apr 02 2019 10:58:38 +0000
Subject: import freerdp-1.0.2-15.el7_6.1


---

diff --git a/SOURCES/CVE-2018-8786.patch b/SOURCES/CVE-2018-8786.patch
new file mode 100644
index 0000000..d3ba04a
--- /dev/null
+++ b/SOURCES/CVE-2018-8786.patch
@@ -0,0 +1,14 @@
+diff --git a/libfreerdp-core/update.c b/libfreerdp-core/update.c
+index c828b2214..5af9f6ab1 100644
+--- a/libfreerdp-core/update.c
++++ b/libfreerdp-core/update.c
+@@ -90,7 +90,7 @@ void update_read_bitmap(rdpUpdate* update, STREAM* s, BITMAP_UPDATE* bitmap_upda
+ 
+ 	if (bitmap_update->number > bitmap_update->count)
+ 	{
+-		uint16 count;
++		uint32 count;
+ 
+ 		count = bitmap_update->number * 2;
+ 
+
diff --git a/SOURCES/CVE-2018-8787.patch b/SOURCES/CVE-2018-8787.patch
new file mode 100644
index 0000000..8d88554
--- /dev/null
+++ b/SOURCES/CVE-2018-8787.patch
@@ -0,0 +1,34 @@
+diff --git a/libfreerdp-gdi/graphics.c b/libfreerdp-gdi/graphics.c
+index 04816334c..5a49bd365 100644
+--- a/libfreerdp-gdi/graphics.c
++++ b/libfreerdp-gdi/graphics.c
+@@ -30,6 +30,8 @@
+ #include <freerdp/codec/bitmap.h>
+ #include <freerdp/cache/glyph.h>
+ 
++#include <stdint.h>
++
+ #include "graphics.h"
+ 
+ /* Bitmap Class */
+@@ -89,9 +91,18 @@ void gdi_Bitmap_Paint(rdpContext* context, rdpBitmap* bitmap)
+ void gdi_Bitmap_Decompress(rdpContext* context, rdpBitmap* bitmap,
+ 		uint8* data, int width, int height, int bpp, int length, boolean compressed)
+ {
+-	uint16 size;
++	uint32 size = width * height;
++	int bpp_op = (bpp + 7) / 8;
++
++	if ((bpp == 0) ||
++	    (width == 0) || (height == 0) || (width > UINT32_MAX / height) ||
++	    (size > (UINT32_MAX / bpp_op)))
++	{
++		printf("gdi_Bitmap_Decompress failed\n");
++		abort();
++	}
+ 
+-	size = width * height * (bpp + 7) / 8;
++	size *= bpp_op;
+ 
+ 	if (bitmap->data == NULL)
+ 		bitmap->data = (uint8*) xmalloc(size);
diff --git a/SOURCES/CVE-2018-8788.patch b/SOURCES/CVE-2018-8788.patch
new file mode 100644
index 0000000..a8ae95f
--- /dev/null
+++ b/SOURCES/CVE-2018-8788.patch
@@ -0,0 +1,88 @@
+diff --git a/libfreerdp-codec/nsc.c b/libfreerdp-codec/nsc.c
+index a39bdd33e..a86ea80f4 100644
+--- a/libfreerdp-codec/nsc.c
++++ b/libfreerdp-codec/nsc.c
+@@ -217,6 +217,11 @@ void nsc_rle_decode(STREAM* in, STREAM* out, uint32 origsz)
+ 
+ 		if (i == 5)
+ 		{
++			if (stream_get_left(out) < 1)
++			{
++				printf("nsc_rle_decode failed");
++				abort();
++			}
+ 			stream_write_uint8(out,value);
+ 			i-=1;
+ 		}
+@@ -228,6 +233,11 @@ void nsc_rle_decode(STREAM* in, STREAM* out, uint32 origsz)
+ 			{
+ 				uint8 len;
+ 				stream_read_uint8(in, len);
++				if (stream_get_left(out) < len+2)
++				{
++					printf("nsc_rle_decode failed");
++					abort();
++				}
+ 				stream_set_byte(out, value, len+2);
+ 				i -= (len+2);
+ 			}
+@@ -236,17 +246,32 @@ void nsc_rle_decode(STREAM* in, STREAM* out, uint32 origsz)
+ 				uint32 len;
+ 				stream_seek(in, 1);
+ 				stream_read_uint32(in, len);
++				if (stream_get_left (out) < len)
++				{
++					printf("nsc_rle_decode failed");
++					abort();
++				}
+ 				stream_set_byte(out, value, len);
+ 				i -= len;
+ 			}
+ 		}
+ 		else
+ 		{
++			if (stream_get_left(out) < 1)
++			{
++				printf("nsc_rle_decode failed");
++				abort();
++			}
+ 			stream_write_uint8(out, value);
+ 			i -= 1;
+ 		}
+ 	}
+ 
++	if (stream_get_left(out) < 4)
++	{
++		printf("nsc_rle_decode failed");
++		abort();
++	}
+ 	stream_copy(out, in, 4);
+ }
+ 
+@@ -264,11 +289,25 @@ void nsc_rle_decompress_data(NSC_CONTEXT* context)
+ 		origsize = context->OrgByteCount[i];
+ 
+ 		if (i == 3 && context->nsc_stream->PlaneByteCount[i] == 0)
++		{
++			if (stream_get_left(context->org_buf[i]) < origsize)
++			{
++				printf("nsc_rle_decompress_data failed");
++				abort();
++			}
+ 			stream_set_byte(context->org_buf[i], 0xff, origsize);
++		}
+ 		else if (context->nsc_stream->PlaneByteCount[i] < origsize)
+ 			nsc_rle_decode(rles, context->org_buf[i], origsize);
+ 		else
++		{
++			if (stream_get_left(context->org_buf[i]) < origsize)
++			{
++				printf("nsc_rle_decompress_data failed");
++				abort();
++			}
+ 			stream_copy(context->org_buf[i], rles, origsize);
++		}
+ 
+ 		context->org_buf[i]->p = context->org_buf[i]->data;
+ 	}
+
diff --git a/SPECS/freerdp.spec b/SPECS/freerdp.spec
index 2a39343..8efc64f 100644
--- a/SPECS/freerdp.spec
+++ b/SPECS/freerdp.spec
@@ -1,6 +1,6 @@
 Name:           freerdp
 Version:        1.0.2
-Release:        15%{?dist}
+Release:        15%{?dist}.1
 Summary:        Remote Desktop Protocol client
 
 Group:          Applications/Communications
@@ -83,6 +83,18 @@ Patch18: Fix-colors-on-big-endian.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1363811
 Patch19: FIPS-mode-support.patch
 
+# Fix CVE-2018-8786
+# https://bugzilla.redhat.com/show_bug.cgi?id=1684152
+Patch21: CVE-2018-8786.patch
+
+# Fix CVE-2018-8787
+# https://bugzilla.redhat.com/show_bug.cgi?id=1684156
+Patch22: CVE-2018-8787.patch
+
+# Fix CVE-2018-8788
+# https://bugzilla.redhat.com/show_bug.cgi?id=1684163
+Patch23: CVE-2018-8788.patch
+
 %description
 The xfreerdp Remote Desktop Protocol (RDP) client from the FreeRDP
 project.
@@ -148,6 +160,9 @@ developing applications that use %{name}-libs.
 %patch18 -p1 -b .Fix-colors-on-big-endian
 %patch19 -p1 -b .FIPS-mode-support
 %patch20 -p1 -b .Fix-smartcard-usage-in-manpage
+%patch21 -p1 -b .CVE-2018-8786
+%patch22 -p1 -b .CVE-2018-8787
+%patch23 -p1 -b .CVE-2018-8788
 
 cat << EOF > xfreerdp.desktop 
 [Desktop Entry]
@@ -237,6 +252,11 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 
 
 %changelog
+* Fri Mar 8 2019 Ondrej Holy <oholy@redhat.com> - 1.0.2-15.1
+- Fix CVE-2018-8786 (#1684152)
+- Fix CVE-2018-8787 (#1684156)
+- Fix CVE-2018-8788 (#1684163)
+
 * Wed Jan 31 2018 Ondrej Holy <oholy@redhat.com> - 1.0.2-15
 - Fix smartcard usage in manpage (#1428041)