|
 |
8b16a4 |
From bda8e5ebfb772c0de3832d77b49749538c61eb14 Mon Sep 17 00:00:00 2001
|
|
|
8b16a4 |
From: akallabeth <akallabeth@posteo.net>
|
|
|
8b16a4 |
Date: Mon, 30 Mar 2020 17:32:04 +0200
|
|
|
8b16a4 |
Subject: [PATCH] Fix CVE-2020-11523: clamp invalid rectangles to size 0
|
|
|
8b16a4 |
|
|
|
8b16a4 |
Thanks to Sunglin and HuanGMz from Knownsec 404
|
|
|
8b16a4 |
---
|
|
|
8b16a4 |
libfreerdp/gdi/region.c | 36 ++++++++++++++++++++++++++++++++++--
|
|
|
8b16a4 |
1 file changed, 34 insertions(+), 2 deletions(-)
|
|
|
8b16a4 |
|
|
|
8b16a4 |
diff --git a/libfreerdp/gdi/region.c b/libfreerdp/gdi/region.c
|
|
|
8b16a4 |
index d3b28b562..1ffbf79bf 100644
|
|
|
8b16a4 |
--- a/libfreerdp/gdi/region.c
|
|
|
8b16a4 |
+++ b/libfreerdp/gdi/region.c
|
|
|
8b16a4 |
@@ -37,6 +37,19 @@
|
|
|
8b16a4 |
|
|
|
8b16a4 |
#define TAG FREERDP_TAG("gdi.region")
|
|
|
8b16a4 |
|
|
|
8b16a4 |
+static char* gdi_rect_str(char* buffer, size_t size, const HGDI_RECT rect)
|
|
|
8b16a4 |
+{
|
|
|
8b16a4 |
+ if (!buffer || (size < 1) || !rect)
|
|
|
8b16a4 |
+ return NULL;
|
|
|
8b16a4 |
+
|
|
|
8b16a4 |
+ _snprintf(buffer, size - 1,
|
|
|
8b16a4 |
+ "[top/left=%" PRId32 "x%" PRId32 "-bottom/right%" PRId32 "x%" PRId32 "]", rect->top,
|
|
|
8b16a4 |
+ rect->left, rect->bottom, rect->right);
|
|
|
8b16a4 |
+ buffer[size - 1] = '\0';
|
|
|
8b16a4 |
+
|
|
|
8b16a4 |
+ return buffer;
|
|
|
8b16a4 |
+}
|
|
|
8b16a4 |
+
|
|
|
8b16a4 |
/**
|
|
|
8b16a4 |
* Create a region from rectangular coordinates.\n
|
|
|
8b16a4 |
* @msdn{dd183514}
|
|
|
8b16a4 |
@@ -134,10 +147,29 @@ INLINE void gdi_RectToCRgn(const HGDI_RECT rect,
|
|
|
8b16a4 |
INT32* x, INT32* y,
|
|
|
8b16a4 |
INT32* w, INT32* h)
|
|
|
8b16a4 |
{
|
|
|
8b16a4 |
+ INT64 tmp;
|
|
|
8b16a4 |
*x = rect->left;
|
|
|
8b16a4 |
*y = rect->top;
|
|
|
8b16a4 |
- *w = rect->right - rect->left + 1;
|
|
|
8b16a4 |
- *h = rect->bottom - rect->top + 1;
|
|
|
8b16a4 |
+ tmp = rect->right - rect->left + 1;
|
|
|
8b16a4 |
+ if ((tmp < 0) || (tmp > INT32_MAX))
|
|
|
8b16a4 |
+ {
|
|
|
8b16a4 |
+ char buffer[256];
|
|
|
8b16a4 |
+ WLog_ERR(TAG, "[%s] rectangle invalid %s", __FUNCTION__,
|
|
|
8b16a4 |
+ gdi_rect_str(buffer, sizeof(buffer), rect));
|
|
|
8b16a4 |
+ *w = 0;
|
|
|
8b16a4 |
+ }
|
|
|
8b16a4 |
+ else
|
|
|
8b16a4 |
+ *w = tmp;
|
|
|
8b16a4 |
+ tmp = rect->bottom - rect->top + 1;
|
|
|
8b16a4 |
+ if ((tmp < 0) || (tmp > INT32_MAX))
|
|
|
8b16a4 |
+ {
|
|
|
8b16a4 |
+ char buffer[256];
|
|
|
8b16a4 |
+ WLog_ERR(TAG, "[%s] rectangle invalid %s", __FUNCTION__,
|
|
|
8b16a4 |
+ gdi_rect_str(buffer, sizeof(buffer), rect));
|
|
|
8b16a4 |
+ *h = 0;
|
|
|
8b16a4 |
+ }
|
|
|
8b16a4 |
+ else
|
|
|
8b16a4 |
+ *h = tmp;
|
|
|
8b16a4 |
}
|
|
|
8b16a4 |
|
|
|
8b16a4 |
/**
|
|
|
8b16a4 |
--
|
|
|
8b16a4 |
2.26.2
|
|
|
8b16a4 |
|