freerdp/SOURCES/Fixed-CVE-2020-11521-Out-of-bounds-write-in-planar-c.patch

From d9f3c98918912de94af033fbab9578188ad46cf7 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Mon, 30 Mar 2020 18:18:12 +0200
Subject: [PATCH] Fixed CVE-2020-11521: Out of bounds write in planar codec.

Thanks to Sunglin and HuanGMz from Knownsec 404
---
 libfreerdp/codec/planar.c | 15 ++++++++-------
 libfreerdp/core/orders.c  |  6 ++++++
 2 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/libfreerdp/codec/planar.c b/libfreerdp/codec/planar.c
index 98f2495e2..34c48d786 100644
--- a/libfreerdp/codec/planar.c
+++ b/libfreerdp/codec/planar.c
@@ -42,10 +42,9 @@ static INLINE BYTE* freerdp_bitmap_planar_delta_encode_plane(
 static INLINE INT32 planar_skip_plane_rle(const BYTE* pSrcData, UINT32 SrcSize,
         UINT32 nWidth, UINT32 nHeight)
 {
+	UINT32 used = 0;
 	UINT32 x, y;
 	BYTE controlByte;
-	const BYTE* pRLE = pSrcData;
-	const BYTE* pEnd = &pSrcData[SrcSize];
 
 	for (y = 0; y < nHeight; y++)
 	{
@@ -54,10 +53,10 @@ static INLINE INT32 planar_skip_plane_rle(const BYTE* pSrcData, UINT32 SrcSize,
 			int cRawBytes;
 			int nRunLength;
 
-			if (pRLE >= pEnd)
+			if (used >= SrcSize)
 				return -1;
 
-			controlByte = *pRLE++;
+			controlByte = pSrcData[used++];
 			nRunLength = PLANAR_CONTROL_BYTE_RUN_LENGTH(controlByte);
 			cRawBytes = PLANAR_CONTROL_BYTE_RAW_BYTES(controlByte);
 
@@ -72,19 +71,21 @@ static INLINE INT32 planar_skip_plane_rle(const BYTE* pSrcData, UINT32 SrcSize,
 				cRawBytes = 0;
 			}
 
-			pRLE += cRawBytes;
+			used += cRawBytes;
 			x += cRawBytes;
 			x += nRunLength;
 
 			if (x > nWidth)
 				return -1;
 
-			if (pRLE > pEnd)
+			if (used > SrcSize)
 				return -1;
 		}
 	}
 
-	return (INT32)(pRLE - pSrcData);
+	if (used > INT32_MAX)
+		return -1;
+	return (INT32)used;
 }
 
 static INLINE INT32 planar_decompress_plane_rle(const BYTE* pSrcData, UINT32 SrcSize,
diff --git a/libfreerdp/core/orders.c b/libfreerdp/core/orders.c
index 9f3489f17..e44f0dead 100644
--- a/libfreerdp/core/orders.c
+++ b/libfreerdp/core/orders.c
@@ -1961,6 +1961,9 @@ static CACHE_BITMAP_ORDER* update_read_cache_bitmap_order(rdpUpdate* update, wSt
 		}
 	}
 
+	if (cache_bitmap->bitmapLength == 0)
+		goto fail;
+
 	if (Stream_GetRemainingLength(s) < cache_bitmap->bitmapLength)
 		goto fail;
 
@@ -2095,6 +2098,9 @@ static CACHE_BITMAP_V2_ORDER* update_read_cache_bitmap_v2_order(rdpUpdate* updat
 		}
 	}
 
+	if (cache_bitmap_v2->bitmapLength == 0)
+		goto fail;
+
 	if (Stream_GetRemainingLength(s) < cache_bitmap_v2->bitmapLength)
 		goto fail;
 
-- 
2.26.2
import freerdp-2.0.0-46.rc4.el8_2.1 2020-07-07 12:39:34 +00:00			`From d9f3c98918912de94af033fbab9578188ad46cf7 Mon Sep 17 00:00:00 2001`
			`From: akallabeth <akallabeth@posteo.net>`
			`Date: Mon, 30 Mar 2020 18:18:12 +0200`
			`Subject: [PATCH] Fixed CVE-2020-11521: Out of bounds write in planar codec.`

			`Thanks to Sunglin and HuanGMz from Knownsec 404`
			`---`
			`libfreerdp/codec/planar.c \| 15 ++++++++-------`
			`libfreerdp/core/orders.c \| 6 ++++++`
			`2 files changed, 14 insertions(+), 7 deletions(-)`

			`diff --git a/libfreerdp/codec/planar.c b/libfreerdp/codec/planar.c`
			`index 98f2495e2..34c48d786 100644`
			`--- a/libfreerdp/codec/planar.c`
			`+++ b/libfreerdp/codec/planar.c`
			`@@ -42,10 +42,9 @@ static INLINE BYTE* freerdp_bitmap_planar_delta_encode_plane(`
			`static INLINE INT32 planar_skip_plane_rle(const BYTE* pSrcData, UINT32 SrcSize,`
			`UINT32 nWidth, UINT32 nHeight)`
			`{`
			`+ UINT32 used = 0;`
			`UINT32 x, y;`
			`BYTE controlByte;`
			`- const BYTE* pRLE = pSrcData;`
			`- const BYTE* pEnd = &pSrcData[SrcSize];`

			`for (y = 0; y < nHeight; y++)`
			`{`
			`@@ -54,10 +53,10 @@ static INLINE INT32 planar_skip_plane_rle(const BYTE* pSrcData, UINT32 SrcSize,`
			`int cRawBytes;`
			`int nRunLength;`

			`- if (pRLE >= pEnd)`
			`+ if (used >= SrcSize)`
			`return -1;`

			`- controlByte = *pRLE++;`
			`+ controlByte = pSrcData[used++];`
			`nRunLength = PLANAR_CONTROL_BYTE_RUN_LENGTH(controlByte);`
			`cRawBytes = PLANAR_CONTROL_BYTE_RAW_BYTES(controlByte);`

			`@@ -72,19 +71,21 @@ static INLINE INT32 planar_skip_plane_rle(const BYTE* pSrcData, UINT32 SrcSize,`
			`cRawBytes = 0;`
			`}`

			`- pRLE += cRawBytes;`
			`+ used += cRawBytes;`
			`x += cRawBytes;`
			`x += nRunLength;`

			`if (x > nWidth)`
			`return -1;`

			`- if (pRLE > pEnd)`
			`+ if (used > SrcSize)`
			`return -1;`
			`}`
			`}`

			`- return (INT32)(pRLE - pSrcData);`
			`+ if (used > INT32_MAX)`
			`+ return -1;`
			`+ return (INT32)used;`
			`}`

			`static INLINE INT32 planar_decompress_plane_rle(const BYTE* pSrcData, UINT32 SrcSize,`
			`diff --git a/libfreerdp/core/orders.c b/libfreerdp/core/orders.c`
			`index 9f3489f17..e44f0dead 100644`
			`--- a/libfreerdp/core/orders.c`
			`+++ b/libfreerdp/core/orders.c`
			`@@ -1961,6 +1961,9 @@ static CACHE_BITMAP_ORDER* update_read_cache_bitmap_order(rdpUpdate* update, wSt`
			`}`
			`}`

			`+ if (cache_bitmap->bitmapLength == 0)`
			`+ goto fail;`
			`+`
			`if (Stream_GetRemainingLength(s) < cache_bitmap->bitmapLength)`
			`goto fail;`

			`@@ -2095,6 +2098,9 @@ static CACHE_BITMAP_V2_ORDER* update_read_cache_bitmap_v2_order(rdpUpdate* updat`
			`}`
			`}`

			`+ if (cache_bitmap_v2->bitmapLength == 0)`
			`+ goto fail;`
			`+`
			`if (Stream_GetRemainingLength(s) < cache_bitmap_v2->bitmapLength)`
			`goto fail;`

			`--`
			`2.26.2`