freerdp/SOURCES/Fix-CVE-2020-11524-out-of-bounds-access-in-interleav.patch

From b62b942e805cdfdfd1e71ec752c08091d4c3229f Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Mon, 30 Mar 2020 18:05:17 +0200
Subject: [PATCH] Fix CVE-2020-11524: out of bounds access in interleaved

Thanks to Sunglin and HuanGMz from Knownsec 404
---
 libfreerdp/codec/include/bitmap.c | 4 ++++
 libfreerdp/codec/interleaved.c    | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/libfreerdp/codec/include/bitmap.c b/libfreerdp/codec/include/bitmap.c
index 602d1b333..734ed136d 100644
--- a/libfreerdp/codec/include/bitmap.c
+++ b/libfreerdp/codec/include/bitmap.c
@@ -338,6 +338,10 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer,
 			case MEGA_MEGA_COLOR_IMAGE:
 				runLength = ExtractRunLength(code, pbSrc, &advance);
 				pbSrc = pbSrc + advance;
+
+				if (!ENSURE_CAPACITY(pbDest, pbDestEnd, runLength))
+					return FALSE;
+
 				UNROLL(runLength,
 				{
 					SRCREADPIXEL(temp, pbSrc);
diff --git a/libfreerdp/codec/interleaved.c b/libfreerdp/codec/interleaved.c
index a3fe7dd3f..0d36e9b9f 100644
--- a/libfreerdp/codec/interleaved.c
+++ b/libfreerdp/codec/interleaved.c
@@ -215,7 +215,7 @@ static INLINE BOOL ensure_capacity(const BYTE* start, const BYTE* end, size_t si
 {
 	const size_t available = (uintptr_t)end - (uintptr_t)start;
 	const BOOL rc = available >= size * base;
-	return rc;
+	return rc && (start <= end);
 }
 
 static INLINE void write_pixel_8(BYTE* _buf, BYTE _pix)
-- 
2.26.2
import freerdp-2.0.0-46.rc4.el8_2.1 2020-07-07 12:39:34 +00:00			`From b62b942e805cdfdfd1e71ec752c08091d4c3229f Mon Sep 17 00:00:00 2001`
			`From: akallabeth <akallabeth@posteo.net>`
			`Date: Mon, 30 Mar 2020 18:05:17 +0200`
			`Subject: [PATCH] Fix CVE-2020-11524: out of bounds access in interleaved`

			`Thanks to Sunglin and HuanGMz from Knownsec 404`
			`---`
			`libfreerdp/codec/include/bitmap.c \| 4 ++++`
			`libfreerdp/codec/interleaved.c \| 2 +-`
			`2 files changed, 5 insertions(+), 1 deletion(-)`

			`diff --git a/libfreerdp/codec/include/bitmap.c b/libfreerdp/codec/include/bitmap.c`
			`index 602d1b333..734ed136d 100644`
			`--- a/libfreerdp/codec/include/bitmap.c`
			`+++ b/libfreerdp/codec/include/bitmap.c`
			`@@ -338,6 +338,10 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer,`
			`case MEGA_MEGA_COLOR_IMAGE:`
			`runLength = ExtractRunLength(code, pbSrc, &advance);`
			`pbSrc = pbSrc + advance;`
			`+`
			`+ if (!ENSURE_CAPACITY(pbDest, pbDestEnd, runLength))`
			`+ return FALSE;`
			`+`
			`UNROLL(runLength,`
			`{`
			`SRCREADPIXEL(temp, pbSrc);`
			`diff --git a/libfreerdp/codec/interleaved.c b/libfreerdp/codec/interleaved.c`
			`index a3fe7dd3f..0d36e9b9f 100644`
			`--- a/libfreerdp/codec/interleaved.c`
			`+++ b/libfreerdp/codec/interleaved.c`
			`@@ -215,7 +215,7 @@ static INLINE BOOL ensure_capacity(const BYTE* start, const BYTE* end, size_t si`
			`{`
			`const size_t available = (uintptr_t)end - (uintptr_t)start;`
			`const BOOL rc = available >= size * base;`
			`- return rc;`
			`+ return rc && (start <= end);`
			`}`

			`static INLINE void write_pixel_8(BYTE* _buf, BYTE _pix)`
			`--`
			`2.26.2`