43 lines
1.5 KiB
Diff
43 lines
1.5 KiB
Diff
|
From b62b942e805cdfdfd1e71ec752c08091d4c3229f Mon Sep 17 00:00:00 2001
|
||
|
From: akallabeth <akallabeth@posteo.net>
|
||
|
Date: Mon, 30 Mar 2020 18:05:17 +0200
|
||
|
Subject: [PATCH] Fix CVE-2020-11524: out of bounds access in interleaved
|
||
|
|
||
|
Thanks to Sunglin and HuanGMz from Knownsec 404
|
||
|
---
|
||
|
libfreerdp/codec/include/bitmap.c | 4 ++++
|
||
|
libfreerdp/codec/interleaved.c | 2 +-
|
||
|
2 files changed, 5 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/libfreerdp/codec/include/bitmap.c b/libfreerdp/codec/include/bitmap.c
|
||
|
index 602d1b333..734ed136d 100644
|
||
|
--- a/libfreerdp/codec/include/bitmap.c
|
||
|
+++ b/libfreerdp/codec/include/bitmap.c
|
||
|
@@ -338,6 +338,10 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer,
|
||
|
case MEGA_MEGA_COLOR_IMAGE:
|
||
|
runLength = ExtractRunLength(code, pbSrc, &advance);
|
||
|
pbSrc = pbSrc + advance;
|
||
|
+
|
||
|
+ if (!ENSURE_CAPACITY(pbDest, pbDestEnd, runLength))
|
||
|
+ return FALSE;
|
||
|
+
|
||
|
UNROLL(runLength,
|
||
|
{
|
||
|
SRCREADPIXEL(temp, pbSrc);
|
||
|
diff --git a/libfreerdp/codec/interleaved.c b/libfreerdp/codec/interleaved.c
|
||
|
index a3fe7dd3f..0d36e9b9f 100644
|
||
|
--- a/libfreerdp/codec/interleaved.c
|
||
|
+++ b/libfreerdp/codec/interleaved.c
|
||
|
@@ -215,7 +215,7 @@ static INLINE BOOL ensure_capacity(const BYTE* start, const BYTE* end, size_t si
|
||
|
{
|
||
|
const size_t available = (uintptr_t)end - (uintptr_t)start;
|
||
|
const BOOL rc = available >= size * base;
|
||
|
- return rc;
|
||
|
+ return rc && (start <= end);
|
||
|
}
|
||
|
|
||
|
static INLINE void write_pixel_8(BYTE* _buf, BYTE _pix)
|
||
|
--
|
||
|
2.26.2
|
||
|
|