|
 |
8b16a4 |
From d9f3c98918912de94af033fbab9578188ad46cf7 Mon Sep 17 00:00:00 2001
|
|
|
8b16a4 |
From: akallabeth <akallabeth@posteo.net>
|
|
|
8b16a4 |
Date: Mon, 30 Mar 2020 18:18:12 +0200
|
|
|
8b16a4 |
Subject: [PATCH] Fixed CVE-2020-11521: Out of bounds write in planar codec.
|
|
|
8b16a4 |
|
|
|
8b16a4 |
Thanks to Sunglin and HuanGMz from Knownsec 404
|
|
|
8b16a4 |
---
|
|
|
8b16a4 |
libfreerdp/codec/planar.c | 15 ++++++++-------
|
|
|
8b16a4 |
libfreerdp/core/orders.c | 6 ++++++
|
|
|
8b16a4 |
2 files changed, 14 insertions(+), 7 deletions(-)
|
|
|
8b16a4 |
|
|
|
8b16a4 |
diff --git a/libfreerdp/codec/planar.c b/libfreerdp/codec/planar.c
|
|
|
8b16a4 |
index 98f2495e2..34c48d786 100644
|
|
|
8b16a4 |
--- a/libfreerdp/codec/planar.c
|
|
|
8b16a4 |
+++ b/libfreerdp/codec/planar.c
|
|
|
8b16a4 |
@@ -42,10 +42,9 @@ static INLINE BYTE* freerdp_bitmap_planar_delta_encode_plane(
|
|
|
8b16a4 |
static INLINE INT32 planar_skip_plane_rle(const BYTE* pSrcData, UINT32 SrcSize,
|
|
|
8b16a4 |
UINT32 nWidth, UINT32 nHeight)
|
|
|
8b16a4 |
{
|
|
|
8b16a4 |
+ UINT32 used = 0;
|
|
|
8b16a4 |
UINT32 x, y;
|
|
|
8b16a4 |
BYTE controlByte;
|
|
|
8b16a4 |
- const BYTE* pRLE = pSrcData;
|
|
|
8b16a4 |
- const BYTE* pEnd = &pSrcData[SrcSize];
|
|
|
8b16a4 |
|
|
|
8b16a4 |
for (y = 0; y < nHeight; y++)
|
|
|
8b16a4 |
{
|
|
|
8b16a4 |
@@ -54,10 +53,10 @@ static INLINE INT32 planar_skip_plane_rle(const BYTE* pSrcData, UINT32 SrcSize,
|
|
|
8b16a4 |
int cRawBytes;
|
|
|
8b16a4 |
int nRunLength;
|
|
|
8b16a4 |
|
|
|
8b16a4 |
- if (pRLE >= pEnd)
|
|
|
8b16a4 |
+ if (used >= SrcSize)
|
|
|
8b16a4 |
return -1;
|
|
|
8b16a4 |
|
|
|
8b16a4 |
- controlByte = *pRLE++;
|
|
|
8b16a4 |
+ controlByte = pSrcData[used++];
|
|
|
8b16a4 |
nRunLength = PLANAR_CONTROL_BYTE_RUN_LENGTH(controlByte);
|
|
|
8b16a4 |
cRawBytes = PLANAR_CONTROL_BYTE_RAW_BYTES(controlByte);
|
|
|
8b16a4 |
|
|
|
8b16a4 |
@@ -72,19 +71,21 @@ static INLINE INT32 planar_skip_plane_rle(const BYTE* pSrcData, UINT32 SrcSize,
|
|
|
8b16a4 |
cRawBytes = 0;
|
|
|
8b16a4 |
}
|
|
|
8b16a4 |
|
|
|
8b16a4 |
- pRLE += cRawBytes;
|
|
|
8b16a4 |
+ used += cRawBytes;
|
|
|
8b16a4 |
x += cRawBytes;
|
|
|
8b16a4 |
x += nRunLength;
|
|
|
8b16a4 |
|
|
|
8b16a4 |
if (x > nWidth)
|
|
|
8b16a4 |
return -1;
|
|
|
8b16a4 |
|
|
|
8b16a4 |
- if (pRLE > pEnd)
|
|
|
8b16a4 |
+ if (used > SrcSize)
|
|
|
8b16a4 |
return -1;
|
|
|
8b16a4 |
}
|
|
|
8b16a4 |
}
|
|
|
8b16a4 |
|
|
|
8b16a4 |
- return (INT32)(pRLE - pSrcData);
|
|
|
8b16a4 |
+ if (used > INT32_MAX)
|
|
|
8b16a4 |
+ return -1;
|
|
|
8b16a4 |
+ return (INT32)used;
|
|
|
8b16a4 |
}
|
|
|
8b16a4 |
|
|
|
8b16a4 |
static INLINE INT32 planar_decompress_plane_rle(const BYTE* pSrcData, UINT32 SrcSize,
|
|
|
8b16a4 |
diff --git a/libfreerdp/core/orders.c b/libfreerdp/core/orders.c
|
|
|
8b16a4 |
index 9f3489f17..e44f0dead 100644
|
|
|
8b16a4 |
--- a/libfreerdp/core/orders.c
|
|
|
8b16a4 |
+++ b/libfreerdp/core/orders.c
|
|
|
8b16a4 |
@@ -1961,6 +1961,9 @@ static CACHE_BITMAP_ORDER* update_read_cache_bitmap_order(rdpUpdate* update, wSt
|
|
|
8b16a4 |
}
|
|
|
8b16a4 |
}
|
|
|
8b16a4 |
|
|
|
8b16a4 |
+ if (cache_bitmap->bitmapLength == 0)
|
|
|
8b16a4 |
+ goto fail;
|
|
|
8b16a4 |
+
|
|
|
8b16a4 |
if (Stream_GetRemainingLength(s) < cache_bitmap->bitmapLength)
|
|
|
8b16a4 |
goto fail;
|
|
|
8b16a4 |
|
|
|
8b16a4 |
@@ -2095,6 +2098,9 @@ static CACHE_BITMAP_V2_ORDER* update_read_cache_bitmap_v2_order(rdpUpdate* updat
|
|
|
8b16a4 |
}
|
|
|
8b16a4 |
}
|
|
|
8b16a4 |
|
|
|
8b16a4 |
+ if (cache_bitmap_v2->bitmapLength == 0)
|
|
|
8b16a4 |
+ goto fail;
|
|
|
8b16a4 |
+
|
|
|
8b16a4 |
if (Stream_GetRemainingLength(s) < cache_bitmap_v2->bitmapLength)
|
|
|
8b16a4 |
goto fail;
|
|
|
8b16a4 |
|
|
|
8b16a4 |
--
|
|
|
8b16a4 |
2.26.2
|
|
|
8b16a4 |
|