import freerdp-2.0.0-46.rc4.el8_2.1

2020-07-07 08:39:34 -04:00 · 2020-07-07 08:39:34 -04:00 · 9ae04fc6d3
commit 9ae04fc6d3
parent e9d284bf1c
4 changed files with 213 additions and 1 deletions
--- a/SOURCES/Fix-CVE-2020-11523-clamp-invalid-rectangles-to-size-.patch
+++ b/SOURCES/Fix-CVE-2020-11523-clamp-invalid-rectangles-to-size-.patch
@ -0,0 +1,69 @@
+From bda8e5ebfb772c0de3832d77b49749538c61eb14 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Mon, 30 Mar 2020 17:32:04 +0200
+Subject: [PATCH] Fix CVE-2020-11523: clamp invalid rectangles to size 0
+
+Thanks to Sunglin and HuanGMz from Knownsec 404
+---
+ libfreerdp/gdi/region.c | 36 ++++++++++++++++++++++++++++++++++--
+ 1 file changed, 34 insertions(+), 2 deletions(-)
+
+diff --git a/libfreerdp/gdi/region.c b/libfreerdp/gdi/region.c
+index d3b28b562..1ffbf79bf 100644
+--- a/libfreerdp/gdi/region.c
+++ b/libfreerdp/gdi/region.c
+@@ -37,6 +37,19 @@
+ 
+ #define TAG FREERDP_TAG("gdi.region")
+ 
+static char* gdi_rect_str(char* buffer, size_t size, const HGDI_RECT rect)
+{
+	if (!buffer || (size < 1) || !rect)
+		return NULL;
+
+	_snprintf(buffer, size - 1,
+	          "[top/left=%" PRId32 "x%" PRId32 "-bottom/right%" PRId32 "x%" PRId32 "]", rect->top,
+	          rect->left, rect->bottom, rect->right);
+		buffer[size - 1] = '\0';
+
+	        return buffer;
+}
+
+ /**
+  * Create a region from rectangular coordinates.\n
+  * @msdn{dd183514}
+@@ -134,10 +147,29 @@ INLINE void gdi_RectToCRgn(const HGDI_RECT rect,
+                            INT32* x, INT32* y,
+                            INT32* w, INT32* h)
+ {
+	INT64 tmp;
+ 	*x = rect->left;
+ 	*y = rect->top;
+-	*w = rect->right - rect->left + 1;
+-	*h = rect->bottom - rect->top + 1;
+	tmp = rect->right - rect->left + 1;
+	if ((tmp < 0) || (tmp > INT32_MAX))
+	{
+		char buffer[256];
+		WLog_ERR(TAG, "[%s] rectangle invalid %s", __FUNCTION__,
+		         gdi_rect_str(buffer, sizeof(buffer), rect));
+		*w = 0;
+	}
+	else
+		*w = tmp;
+	tmp = rect->bottom - rect->top + 1;
+	if ((tmp < 0) || (tmp > INT32_MAX))
+	{
+		char buffer[256];
+		WLog_ERR(TAG, "[%s] rectangle invalid %s", __FUNCTION__,
+		         gdi_rect_str(buffer, sizeof(buffer), rect));
+		*h = 0;
+	}
+	else
+		*h = tmp;
+ }
+ 
+ /**
+-- 
+2.26.2
+
--- a/SOURCES/Fix-CVE-2020-11524-out-of-bounds-access-in-interleav.patch
+++ b/SOURCES/Fix-CVE-2020-11524-out-of-bounds-access-in-interleav.patch
@ -0,0 +1,42 @@
+From b62b942e805cdfdfd1e71ec752c08091d4c3229f Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Mon, 30 Mar 2020 18:05:17 +0200
+Subject: [PATCH] Fix CVE-2020-11524: out of bounds access in interleaved
+
+Thanks to Sunglin and HuanGMz from Knownsec 404
+---
+ libfreerdp/codec/include/bitmap.c | 4 ++++
+ libfreerdp/codec/interleaved.c    | 2 +-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/libfreerdp/codec/include/bitmap.c b/libfreerdp/codec/include/bitmap.c
+index 602d1b333..734ed136d 100644
+--- a/libfreerdp/codec/include/bitmap.c
+++ b/libfreerdp/codec/include/bitmap.c
+@@ -338,6 +338,10 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer,
+ 			case MEGA_MEGA_COLOR_IMAGE:
+ 				runLength = ExtractRunLength(code, pbSrc, &advance);
+ 				pbSrc = pbSrc + advance;
+
+				if (!ENSURE_CAPACITY(pbDest, pbDestEnd, runLength))
+					return FALSE;
+
+ 				UNROLL(runLength,
+ 				{
+ 					SRCREADPIXEL(temp, pbSrc);
+diff --git a/libfreerdp/codec/interleaved.c b/libfreerdp/codec/interleaved.c
+index a3fe7dd3f..0d36e9b9f 100644
+--- a/libfreerdp/codec/interleaved.c
+++ b/libfreerdp/codec/interleaved.c
+@@ -215,7 +215,7 @@ static INLINE BOOL ensure_capacity(const BYTE* start, const BYTE* end, size_t si
+ {
+ 	const size_t available = (uintptr_t)end - (uintptr_t)start;
+ 	const BOOL rc = available >= size * base;
+-	return rc;
+	return rc && (start <= end);
+ }
+ 
+ static INLINE void write_pixel_8(BYTE* _buf, BYTE _pix)
+-- 
+2.26.2
+
--- a/SOURCES/Fixed-CVE-2020-11521-Out-of-bounds-write-in-planar-c.patch
+++ b/SOURCES/Fixed-CVE-2020-11521-Out-of-bounds-write-in-planar-c.patch
@ -0,0 +1,92 @@
+From d9f3c98918912de94af033fbab9578188ad46cf7 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Mon, 30 Mar 2020 18:18:12 +0200
+Subject: [PATCH] Fixed CVE-2020-11521: Out of bounds write in planar codec.
+
+Thanks to Sunglin and HuanGMz from Knownsec 404
+---
+ libfreerdp/codec/planar.c | 15 ++++++++-------
+ libfreerdp/core/orders.c  |  6 ++++++
+ 2 files changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/libfreerdp/codec/planar.c b/libfreerdp/codec/planar.c
+index 98f2495e2..34c48d786 100644
+--- a/libfreerdp/codec/planar.c
+++ b/libfreerdp/codec/planar.c
+@@ -42,10 +42,9 @@ static INLINE BYTE* freerdp_bitmap_planar_delta_encode_plane(
+ static INLINE INT32 planar_skip_plane_rle(const BYTE* pSrcData, UINT32 SrcSize,
+         UINT32 nWidth, UINT32 nHeight)
+ {
+	UINT32 used = 0;
+ 	UINT32 x, y;
+ 	BYTE controlByte;
+-	const BYTE* pRLE = pSrcData;
+-	const BYTE* pEnd = &pSrcData[SrcSize];
+ 
+ 	for (y = 0; y < nHeight; y++)
+ 	{
+@@ -54,10 +53,10 @@ static INLINE INT32 planar_skip_plane_rle(const BYTE* pSrcData, UINT32 SrcSize,
+ 			int cRawBytes;
+ 			int nRunLength;
+ 
+-			if (pRLE >= pEnd)
+			if (used >= SrcSize)
+ 				return -1;
+ 
+-			controlByte = *pRLE++;
+			controlByte = pSrcData[used++];
+ 			nRunLength = PLANAR_CONTROL_BYTE_RUN_LENGTH(controlByte);
+ 			cRawBytes = PLANAR_CONTROL_BYTE_RAW_BYTES(controlByte);
+ 
+@@ -72,19 +71,21 @@ static INLINE INT32 planar_skip_plane_rle(const BYTE* pSrcData, UINT32 SrcSize,
+ 				cRawBytes = 0;
+ 			}
+ 
+-			pRLE += cRawBytes;
+			used += cRawBytes;
+ 			x += cRawBytes;
+ 			x += nRunLength;
+ 
+ 			if (x > nWidth)
+ 				return -1;
+ 
+-			if (pRLE > pEnd)
+			if (used > SrcSize)
+ 				return -1;
+ 		}
+ 	}
+ 
+-	return (INT32)(pRLE - pSrcData);
+	if (used > INT32_MAX)
+		return -1;
+	return (INT32)used;
+ }
+ 
+ static INLINE INT32 planar_decompress_plane_rle(const BYTE* pSrcData, UINT32 SrcSize,
+diff --git a/libfreerdp/core/orders.c b/libfreerdp/core/orders.c
+index 9f3489f17..e44f0dead 100644
+--- a/libfreerdp/core/orders.c
+++ b/libfreerdp/core/orders.c
+@@ -1961,6 +1961,9 @@ static CACHE_BITMAP_ORDER* update_read_cache_bitmap_order(rdpUpdate* update, wSt
+ 		}
+ 	}
+ 
+	if (cache_bitmap->bitmapLength == 0)
+		goto fail;
+
+ 	if (Stream_GetRemainingLength(s) < cache_bitmap->bitmapLength)
+ 		goto fail;
+ 
+@@ -2095,6 +2098,9 @@ static CACHE_BITMAP_V2_ORDER* update_read_cache_bitmap_v2_order(rdpUpdate* updat
+ 		}
+ 	}
+ 
+	if (cache_bitmap_v2->bitmapLength == 0)
+		goto fail;
+
+ 	if (Stream_GetRemainingLength(s) < cache_bitmap_v2->bitmapLength)
+ 		goto fail;
+ 
+-- 
+2.26.2
+
--- a/SPECS/freerdp.spec
+++ b/SPECS/freerdp.spec
@ -18,7 +18,7 @@

 Name:           freerdp
 Version:        2.0.0
-Release:        46.rc4%{?dist}
+Release:        46.rc4%{?dist}.1
 Epoch:          2
 Summary:        Free implementation of the Remote Desktop Protocol (RDP)
 License:        ASL 2.0
@ -26,6 +26,10 @@ URL:            http://www.freerdp.com/

 Source0:        https://github.com/FreeRDP/FreeRDP/archive/%{gittag}/FreeRDP-%{gittag}.tar.gz

+Patch1:         Fixed-CVE-2020-11521-Out-of-bounds-write-in-planar-c.patch
+Patch2:         Fix-CVE-2020-11523-clamp-invalid-rectangles-to-size-.patch
+Patch3:         Fix-CVE-2020-11524-out-of-bounds-access-in-interleav.patch
+
 BuildRequires:  gcc
 BuildRequires:  gcc-c++
 BuildRequires:  alsa-lib-devel
@ -295,6 +299,11 @@ find %{buildroot} -name "*.a" -delete
 %{_libdir}/pkgconfig/winpr-tools2.pc

 %changelog
+* Wed May 20 2020 Ondrej Holy <oholy@redhat.com> - 2:2.0.0-46.rc4.1
+- CVE-2020-11521: Fix out-of-bounds write in planar.c (#1837632)
+- CVE-2020-11523: Fix integer overflow in region.c (#1837633)
+- CVE-2020-11524: Fix out-of-bounds write in interleaved.c (#1837631)
+
 * Wed Nov 28 2018 Ondrej Holy <oholy@redhat.com> - 2:2.0.0-46.rc4
 - Update to 2.0.0-rc4 (#1624340)