freerdp/SOURCES/Fix-CVE-2020-11523-clamp-invalid-rectangles-to-size-.patch

From bda8e5ebfb772c0de3832d77b49749538c61eb14 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Mon, 30 Mar 2020 17:32:04 +0200
Subject: [PATCH] Fix CVE-2020-11523: clamp invalid rectangles to size 0

Thanks to Sunglin and HuanGMz from Knownsec 404
---
 libfreerdp/gdi/region.c | 36 ++++++++++++++++++++++++++++++++++--
 1 file changed, 34 insertions(+), 2 deletions(-)

diff --git a/libfreerdp/gdi/region.c b/libfreerdp/gdi/region.c
index d3b28b562..1ffbf79bf 100644
--- a/libfreerdp/gdi/region.c
+++ b/libfreerdp/gdi/region.c
@@ -37,6 +37,19 @@
 
 #define TAG FREERDP_TAG("gdi.region")
 
+static char* gdi_rect_str(char* buffer, size_t size, const HGDI_RECT rect)
+{
+	if (!buffer || (size < 1) || !rect)
+		return NULL;
+
+	_snprintf(buffer, size - 1,
+	          "[top/left=%" PRId32 "x%" PRId32 "-bottom/right%" PRId32 "x%" PRId32 "]", rect->top,
+	          rect->left, rect->bottom, rect->right);
+		buffer[size - 1] = '\0';
+
+	        return buffer;
+}
+
 /**
  * Create a region from rectangular coordinates.\n
  * @msdn{dd183514}
@@ -134,10 +147,29 @@ INLINE void gdi_RectToCRgn(const HGDI_RECT rect,
                            INT32* x, INT32* y,
                            INT32* w, INT32* h)
 {
+	INT64 tmp;
 	*x = rect->left;
 	*y = rect->top;
-	*w = rect->right - rect->left + 1;
-	*h = rect->bottom - rect->top + 1;
+	tmp = rect->right - rect->left + 1;
+	if ((tmp < 0) || (tmp > INT32_MAX))
+	{
+		char buffer[256];
+		WLog_ERR(TAG, "[%s] rectangle invalid %s", __FUNCTION__,
+		         gdi_rect_str(buffer, sizeof(buffer), rect));
+		*w = 0;
+	}
+	else
+		*w = tmp;
+	tmp = rect->bottom - rect->top + 1;
+	if ((tmp < 0) || (tmp > INT32_MAX))
+	{
+		char buffer[256];
+		WLog_ERR(TAG, "[%s] rectangle invalid %s", __FUNCTION__,
+		         gdi_rect_str(buffer, sizeof(buffer), rect));
+		*h = 0;
+	}
+	else
+		*h = tmp;
 }
 
 /**
-- 
2.26.2
import freerdp-2.0.0-46.rc4.el8_2.1 2020-07-07 12:39:34 +00:00			`From bda8e5ebfb772c0de3832d77b49749538c61eb14 Mon Sep 17 00:00:00 2001`
			`From: akallabeth <akallabeth@posteo.net>`
			`Date: Mon, 30 Mar 2020 17:32:04 +0200`
			`Subject: [PATCH] Fix CVE-2020-11523: clamp invalid rectangles to size 0`

			`Thanks to Sunglin and HuanGMz from Knownsec 404`
			`---`
			`libfreerdp/gdi/region.c \| 36 ++++++++++++++++++++++++++++++++++--`
			`1 file changed, 34 insertions(+), 2 deletions(-)`

			`diff --git a/libfreerdp/gdi/region.c b/libfreerdp/gdi/region.c`
			`index d3b28b562..1ffbf79bf 100644`
			`--- a/libfreerdp/gdi/region.c`
			`+++ b/libfreerdp/gdi/region.c`
			`@@ -37,6 +37,19 @@`

			`#define TAG FREERDP_TAG("gdi.region")`

			`+static char* gdi_rect_str(char* buffer, size_t size, const HGDI_RECT rect)`
			`+{`
			`+ if (!buffer \|\| (size < 1) \|\| !rect)`
			`+ return NULL;`
			`+`
			`+ _snprintf(buffer, size - 1,`
			`+ "[top/left=%" PRId32 "x%" PRId32 "-bottom/right%" PRId32 "x%" PRId32 "]", rect->top,`
			`+ rect->left, rect->bottom, rect->right);`
			`+ buffer[size - 1] = '\0';`
			`+`
			`+ return buffer;`
			`+}`
			`+`
			`/**`
			`* Create a region from rectangular coordinates.\n`
			`* @msdn{dd183514}`
			`@@ -134,10 +147,29 @@ INLINE void gdi_RectToCRgn(const HGDI_RECT rect,`
			`INT32* x, INT32* y,`
			`INT32* w, INT32* h)`
			`{`
			`+ INT64 tmp;`
			`*x = rect->left;`
			`*y = rect->top;`
			`- *w = rect->right - rect->left + 1;`
			`- *h = rect->bottom - rect->top + 1;`
			`+ tmp = rect->right - rect->left + 1;`
			`+ if ((tmp < 0) \|\| (tmp > INT32_MAX))`
			`+ {`
			`+ char buffer[256];`
			`+ WLog_ERR(TAG, "[%s] rectangle invalid %s", __FUNCTION__,`
			`+ gdi_rect_str(buffer, sizeof(buffer), rect));`
			`+ *w = 0;`
			`+ }`
			`+ else`
			`+ *w = tmp;`
			`+ tmp = rect->bottom - rect->top + 1;`
			`+ if ((tmp < 0) \|\| (tmp > INT32_MAX))`
			`+ {`
			`+ char buffer[256];`
			`+ WLog_ERR(TAG, "[%s] rectangle invalid %s", __FUNCTION__,`
			`+ gdi_rect_str(buffer, sizeof(buffer), rect));`
			`+ *h = 0;`
			`+ }`
			`+ else`
			`+ *h = tmp;`
			`}`

			`/**`
			`--`
			`2.26.2`