From b62b942e805cdfdfd1e71ec752c08091d4c3229f Mon Sep 17 00:00:00 2001

From: akallabeth <akallabeth@posteo.net>

Date: Mon, 30 Mar 2020 18:05:17 +0200

Subject: [PATCH] Fix CVE-2020-11524: out of bounds access in interleaved

Thanks to Sunglin and HuanGMz from Knownsec 404

---

 libfreerdp/codec/include/bitmap.c | 4 ++++

 libfreerdp/codec/interleaved.c    | 2 +-

 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/libfreerdp/codec/include/bitmap.c b/libfreerdp/codec/include/bitmap.c

index 602d1b333..734ed136d 100644

--- a/libfreerdp/codec/include/bitmap.c

+++ b/libfreerdp/codec/include/bitmap.c

@@ -338,6 +338,10 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer,

 			case MEGA_MEGA_COLOR_IMAGE:

 				runLength = ExtractRunLength(code, pbSrc, &advance);

 				pbSrc = pbSrc + advance;

+

+				if (!ENSURE_CAPACITY(pbDest, pbDestEnd, runLength))

+					return FALSE;

+

 				UNROLL(runLength,

 				{

 					SRCREADPIXEL(temp, pbSrc);

diff --git a/libfreerdp/codec/interleaved.c b/libfreerdp/codec/interleaved.c

index a3fe7dd3f..0d36e9b9f 100644

--- a/libfreerdp/codec/interleaved.c

+++ b/libfreerdp/codec/interleaved.c

@@ -215,7 +215,7 @@ static INLINE BOOL ensure_capacity(const BYTE* start, const BYTE* end, size_t si

 {

 	const size_t available = (uintptr_t)end - (uintptr_t)start;

 	const BOOL rc = available >= size * base;

-	return rc;

+	return rc && (start <= end);

 }

 static INLINE void write_pixel_8(BYTE* _buf, BYTE _pix)

-- 

2.26.2