From bda8e5ebfb772c0de3832d77b49749538c61eb14 Mon Sep 17 00:00:00 2001

From: akallabeth <akallabeth@posteo.net>

Date: Mon, 30 Mar 2020 17:32:04 +0200

Subject: [PATCH] Fix CVE-2020-11523: clamp invalid rectangles to size 0

Thanks to Sunglin and HuanGMz from Knownsec 404

---

 libfreerdp/gdi/region.c | 36 ++++++++++++++++++++++++++++++++++--

 1 file changed, 34 insertions(+), 2 deletions(-)

diff --git a/libfreerdp/gdi/region.c b/libfreerdp/gdi/region.c

index d3b28b562..1ffbf79bf 100644

--- a/libfreerdp/gdi/region.c

+++ b/libfreerdp/gdi/region.c

@@ -37,6 +37,19 @@

 #define TAG FREERDP_TAG("gdi.region")

+static char* gdi_rect_str(char* buffer, size_t size, const HGDI_RECT rect)

+{

+	if (!buffer || (size < 1) || !rect)

+		return NULL;

+

+	_snprintf(buffer, size - 1,

+	          "[top/left=%" PRId32 "x%" PRId32 "-bottom/right%" PRId32 "x%" PRId32 "]", rect->top,

+	          rect->left, rect->bottom, rect->right);

+		buffer[size - 1] = '\0';

+

+	        return buffer;

+}

+

 /**

  * Create a region from rectangular coordinates.\n

  * @msdn{dd183514}

@@ -134,10 +147,29 @@ INLINE void gdi_RectToCRgn(const HGDI_RECT rect,

                            INT32* x, INT32* y,

                            INT32* w, INT32* h)

 {

+	INT64 tmp;

 	*x = rect->left;

 	*y = rect->top;

-	*w = rect->right - rect->left + 1;

-	*h = rect->bottom - rect->top + 1;

+	tmp = rect->right - rect->left + 1;

+	if ((tmp < 0) || (tmp > INT32_MAX))

+	{

+		char buffer[256];

+		WLog_ERR(TAG, "[%s] rectangle invalid %s", __FUNCTION__,

+		         gdi_rect_str(buffer, sizeof(buffer), rect));

+		*w = 0;

+	}

+	else

+		*w = tmp;

+	tmp = rect->bottom - rect->top + 1;

+	if ((tmp < 0) || (tmp > INT32_MAX))

+	{

+		char buffer[256];

+		WLog_ERR(TAG, "[%s] rectangle invalid %s", __FUNCTION__,

+		         gdi_rect_str(buffer, sizeof(buffer), rect));

+		*h = 0;

+	}

+	else

+		*h = tmp;

 }

 /**

-- 

2.26.2