rpms
/
freerdp
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: rpms:b05172a6a9520ceea14fc6af066181c796fe3887
Branches Tags
rpms:c8
rpms:c9
rpms:c9s
rpms:c9-beta
rpms:c8-beta
rpms:c8s
rpms:imports/c9/freerdp-2.11.2-1.el9
rpms:imports/c8/freerdp-2.2.0-10.el8
rpms:imports/c9/freerdp-2.4.1-5.el9
rpms:imports/c9-beta/freerdp-2.4.1-5.el9
rpms:imports/c8-beta/freerdp-2.2.0-10.el8
rpms:imports/c8s/freerdp-2.2.0-10.el8
rpms:imports/c9/freerdp-2.4.1-3.el9
rpms:imports/c8/freerdp-2.2.0-8.el8
rpms:imports/c9-beta/freerdp-2.4.1-3.el9
rpms:imports/c8-beta/freerdp-2.2.0-8.el8
rpms:imports/c8s/freerdp-2.2.0-8.el8
rpms:imports/c9/freerdp-2.4.1-2.el9
rpms:imports/c8-beta/freerdp-2.2.0-4.el8
rpms:imports/c9-beta/freerdp-2.4.1-2.el9
rpms:imports/c9-beta/freerdp-2.4.0-3.el9
rpms:imports/c8s/freerdp-2.2.0-4.el8
rpms:imports/c8/freerdp-2.2.0-7.el8_5
rpms:imports/c8/freerdp-2.2.0-2.el8
rpms:imports/c8-beta/freerdp-2.2.0-2.el8
rpms:imports/c8-beta/freerdp-2.2.0-1.el8
rpms:imports/c8-beta/freerdp-2.1.1-1.el8
rpms:imports/c8-beta/freerdp-2.0.0-46.rc4.el8
rpms:imports/c8s/freerdp-2.2.0-2.el8
rpms:imports/c8s/freerdp-2.2.0-1.el8
rpms:imports/c8s/freerdp-2.1.1-1.el8
rpms:imports/c8s/freerdp-2.0.0-47.rc4.el8
rpms:imports/c8/freerdp-2.2.0-1.el8
rpms:imports/c8/freerdp-2.1.1-1.el8
rpms:imports/c8/freerdp-2.0.0-46.rc4.el8_2.2
rpms:imports/c8/freerdp-2.0.0-46.rc4.el8_2.1
rpms:imports/c8/freerdp-2.0.0-46.rc4.el8
...
compare: rpms:865e825746bceccc6777c69fe261eae7042c05a2
Branches Tags
rpms:c9
rpms:c9s
rpms:c9-beta
rpms:c8
rpms:c8-beta
rpms:c8s
rpms:imports/c9/freerdp-2.11.2-1.el9
rpms:imports/c8/freerdp-2.2.0-10.el8
rpms:imports/c9/freerdp-2.4.1-5.el9
rpms:imports/c9-beta/freerdp-2.4.1-5.el9
rpms:imports/c8-beta/freerdp-2.2.0-10.el8
rpms:imports/c8s/freerdp-2.2.0-10.el8
rpms:imports/c9/freerdp-2.4.1-3.el9
rpms:imports/c8/freerdp-2.2.0-8.el8
rpms:imports/c9-beta/freerdp-2.4.1-3.el9
rpms:imports/c8-beta/freerdp-2.2.0-8.el8
rpms:imports/c8s/freerdp-2.2.0-8.el8
rpms:imports/c9/freerdp-2.4.1-2.el9
rpms:imports/c8-beta/freerdp-2.2.0-4.el8
rpms:imports/c9-beta/freerdp-2.4.1-2.el9
rpms:imports/c9-beta/freerdp-2.4.0-3.el9
rpms:imports/c8s/freerdp-2.2.0-4.el8
rpms:imports/c8/freerdp-2.2.0-7.el8_5
rpms:imports/c8/freerdp-2.2.0-2.el8
rpms:imports/c8-beta/freerdp-2.2.0-2.el8
rpms:imports/c8-beta/freerdp-2.2.0-1.el8
rpms:imports/c8-beta/freerdp-2.1.1-1.el8
rpms:imports/c8-beta/freerdp-2.0.0-46.rc4.el8
rpms:imports/c8s/freerdp-2.2.0-2.el8
rpms:imports/c8s/freerdp-2.2.0-1.el8
rpms:imports/c8s/freerdp-2.1.1-1.el8
rpms:imports/c8s/freerdp-2.0.0-47.rc4.el8
rpms:imports/c8/freerdp-2.2.0-1.el8
rpms:imports/c8/freerdp-2.1.1-1.el8
rpms:imports/c8/freerdp-2.0.0-46.rc4.el8_2.2
rpms:imports/c8/freerdp-2.0.0-46.rc4.el8_2.1
rpms:imports/c8/freerdp-2.0.0-46.rc4.el8

2 Commits
b05172a6a9 ... 865e825746

Author SHA1 Message Date
Ondrej Holy 865e825746 CVE-2024-22211: Check codec resolution for overflow 2024-03-13 01:41:32 +00:00
Ondrej Holy 7c7ffa1154 Update to 2.11.2 
Resolves: RHEL-4290
Resolves: RHEL-4292
Resolves: RHEL-4296
Resolves: RHEL-4298
Resolves: RHEL-4300
Resolves: RHEL-4302
Resolves: RHEL-4304
Resolves: RHEL-4306
Resolves: RHEL-4308
Resolves: RHEL-4310
Resolves: RHEL-4312
Resolves: RHEL-10060
 2023-11-15 12:42:03 +01:00
22 changed files with 63 additions and 1176 deletions
Show Stats Expand all files Collapse all files

1
.freerdp.metadata Normal file
View File

@ -0,0 +1 @@
af099a8d4ea90cad305b723fe80f623ef3eebfe1 FreeRDP-2.11.2.tar.gz

1
.gitignore vendored
View File

@ -51,3 +51,4 @@
/FreeRDP-2.3.2.tar.gz
/FreeRDP-2.4.0.tar.gz
/FreeRDP-2.4.1.tar.gz
/FreeRDP-2.11.2.tar.gz

62
Added-function-_wcsncmp.patch
View File

@ -1,62 +0,0 @@
From e482b394efc371412ce659b731a9b1e1d73bdf0e Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Mon, 24 Oct 2022 10:42:56 +0200
Subject: [PATCH] Added function _wcsncmp
* Compare WCHAR strings up to n characters
(cherry picked from commit 8178ed26a459356ece17414c6e871a7e0735a4ec)
---
winpr/include/winpr/string.h | 2 ++
winpr/libwinpr/crt/string.c | 15 ++++++++++++++-
2 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/winpr/include/winpr/string.h b/winpr/include/winpr/string.h
index 8ce83bc1d..3b907c444 100644
--- a/winpr/include/winpr/string.h
+++ b/winpr/include/winpr/string.h
@@ -57,6 +57,7 @@ extern "C"
WINPR_API int _strnicmp(const char* string1, const char* string2, size_t count);
WINPR_API int _wcscmp(const WCHAR* string1, const WCHAR* string2);
+ WINPR_API int _wcsncmp(const WCHAR* string1, const WCHAR* string2, size_t count);
WINPR_API size_t _wcslen(const WCHAR* str);
WINPR_API size_t _wcsnlen(const WCHAR* str, size_t maxNumberOfElements);
@@ -70,6 +71,7 @@ extern "C"
#else
#define _wcscmp wcscmp
+#define _wcsncmp wcsncmp
#define _wcslen wcslen
#define _wcsnlen wcsnlen
#define _wcschr wcschr
diff --git a/winpr/libwinpr/crt/string.c b/winpr/libwinpr/crt/string.c
index 37fcb4b25..c25ffa279 100644
--- a/winpr/libwinpr/crt/string.c
+++ b/winpr/libwinpr/crt/string.c
@@ -90,7 +90,20 @@ int _wcscmp(const WCHAR* string1, const WCHAR* string2)
Data_Read_UINT16(string1, value1);
Data_Read_UINT16(string2, value2);
- return value1 - value2;
+ return (int)value1 - value2;
+}
+
+int _wcsncmp(const WCHAR* string1, const WCHAR* string2, size_t count)
+{
+ for (size_t x = 0; x < count; x++)
+ {
+ const WCHAR a = string1[x];
+ const WCHAR b = string2[x];
+
+ if (a != b)
+ return (int)a - b;
+ }
+ return 0;
}
/* _wcslen -> wcslen */
--
2.37.1

29
Added-missing-length-check-in-urb_control_transfer.patch
View File

@ -1,29 +0,0 @@
From 8c513f127549433c830575202d1551b0e9dd182d Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Thu, 13 Oct 2022 09:00:48 +0200
Subject: [PATCH] Added missing length check in urb_control_transfer
(cherry picked from commit ce838e2477cb8173ea5e98f35ad55ff41ea5117d)
---
channels/urbdrc/client/data_transfer.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/channels/urbdrc/client/data_transfer.c b/channels/urbdrc/client/data_transfer.c
index 9a44e6e09..bb2784055 100644
--- a/channels/urbdrc/client/data_transfer.c
+++ b/channels/urbdrc/client/data_transfer.c
@@ -673,7 +673,11 @@ static UINT urb_control_transfer(IUDEVICE* pdev, URBDRC_CHANNEL_CALLBACK* callba
buffer = Stream_Pointer(out);
if (transferDir == USBD_TRANSFER_DIRECTION_OUT)
+ {
+ if (!Stream_CheckAndLogRequiredLength(TAG, s, OutputBufferSize))
+ return ERROR_INVALID_DATA;
Stream_Copy(s, out, OutputBufferSize);
+ }
/** process TS_URB_CONTROL_TRANSFER */
if (!pdev->control_transfer(pdev, RequestId, EndpointAddress, TransferFlags, bmRequestType,
--
2.37.1

51
Added-missing-length-checks-in-zgfx_decompress_segme.patch
View File

@ -1,51 +0,0 @@
From babbd1e433d273634637f5199429986714864033 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Thu, 13 Oct 2022 09:09:28 +0200
Subject: [PATCH] Added missing length checks in zgfx_decompress_segment
(cherry picked from commit 64716b335858109d14f27b51acc4c4d71a92a816)
---
libfreerdp/codec/zgfx.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/libfreerdp/codec/zgfx.c b/libfreerdp/codec/zgfx.c
index 1a2878bd9..04ddeadb2 100644
--- a/libfreerdp/codec/zgfx.c
+++ b/libfreerdp/codec/zgfx.c
@@ -230,19 +230,19 @@ static BOOL zgfx_decompress_segment(ZGFX_CONTEXT* zgfx, wStream* stream, size_t
BYTE* pbSegment;
size_t cbSegment;
- if (!zgfx || !stream)
+ if (!zgfx || !stream || (segmentSize < 2))
return FALSE;
cbSegment = segmentSize - 1;
- if ((Stream_GetRemainingLength(stream) < segmentSize) || (segmentSize < 1) ||
- (segmentSize > UINT32_MAX))
+ if ((Stream_GetRemainingLength(stream) < segmentSize) || (segmentSize > UINT32_MAX))
return FALSE;
Stream_Read_UINT8(stream, flags); /* header (1 byte) */
zgfx->OutputCount = 0;
pbSegment = Stream_Pointer(stream);
- Stream_Seek(stream, cbSegment);
+ if (!Stream_SafeSeek(stream, cbSegment))
+ return FALSE;
if (!(flags & PACKET_COMPRESSED))
{
@@ -346,6 +346,9 @@ static BOOL zgfx_decompress_segment(ZGFX_CONTEXT* zgfx, wStream* stream, size_t
if (count > sizeof(zgfx->OutputBuffer) - zgfx->OutputCount)
return FALSE;
+ if (count > zgfx->cBitsRemaining / 8)
+ return FALSE;
+
CopyMemory(&(zgfx->OutputBuffer[zgfx->OutputCount]), zgfx->pbInputCurrent,
count);
zgfx_history_buffer_ring_write(zgfx, zgfx->pbInputCurrent, count);
--
2.37.1

32
Ensure-urb_create_iocompletion-uses-size_t-for-calcu.patch
View File

@ -1,32 +0,0 @@
From b3a695e9f38a42f1ef0cade0d5e1fe60cf68864e Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Thu, 13 Oct 2022 08:36:26 +0200
Subject: [PATCH] Ensure urb_create_iocompletion uses size_t for calculation
(cherry picked from commit de7e0f062ee53d00b4a966a43855a716e3478150)
---
channels/urbdrc/client/data_transfer.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/channels/urbdrc/client/data_transfer.c b/channels/urbdrc/client/data_transfer.c
index 80e84af48..8642c8506 100644
--- a/channels/urbdrc/client/data_transfer.c
+++ b/channels/urbdrc/client/data_transfer.c
@@ -97,7 +97,13 @@ static wStream* urb_create_iocompletion(UINT32 InterfaceField, UINT32 MessageId,
UINT32 OutputBufferSize)
{
const UINT32 InterfaceId = (STREAM_ID_PROXY << 30) | (InterfaceField & 0x3FFFFFFF);
- wStream* out = Stream_New(NULL, OutputBufferSize + 28);
+
+#if UINT32_MAX >= SIZE_MAX
+ if (OutputBufferSize > UINT32_MAX - 28ull)
+ return NULL;
+#endif
+
+ wStream* out = Stream_New(NULL, OutputBufferSize + 28ull);
if (!out)
return NULL;
--
2.37.1

37
Fix-length-checks-in-parallel-driver.patch
View File

@ -1,37 +0,0 @@
From 64544c7f4ed72b3023955ebe6ad3b118ebb8d6c7 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Thu, 6 Oct 2022 09:12:40 +0200
Subject: [PATCH] Fix length checks in parallel driver
The length requested was not checked against the length read from
the port.
(cherry picked from commit 094cc5a4596c299595b732effd59ee149181fd61)
---
channels/parallel/client/parallel_main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/channels/parallel/client/parallel_main.c b/channels/parallel/client/parallel_main.c
index af3e82703..993605a65 100644
--- a/channels/parallel/client/parallel_main.c
+++ b/channels/parallel/client/parallel_main.c
@@ -159,7 +159,7 @@ static UINT parallel_process_irp_read(PARALLEL_DEVICE* parallel, IRP* irp)
return ERROR_INVALID_DATA;
Stream_Read_UINT32(irp->input, Length);
Stream_Read_UINT64(irp->input, Offset);
- buffer = (BYTE*)malloc(Length);
+ buffer = (BYTE*)calloc(Length, sizeof(BYTE));
if (!buffer)
{
@@ -178,6 +178,7 @@ static UINT parallel_process_irp_read(PARALLEL_DEVICE* parallel, IRP* irp)
}
else
{
+ Length = status;
}
Stream_Write_UINT32(irp->output, Length);
--
2.37.1

25
Fixed-7436-Datatype-mismatch-to-crypto_base64_decode.patch
View File

@ -1,25 +0,0 @@
From 2ddb22f7a453f3429b3246ca8ffa1ff2c31fe71d Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Fri, 12 Nov 2021 11:24:38 +0100
Subject: [PATCH] Fixed #7436: Datatype mismatch to crypto_base64_decode
---
libfreerdp/core/gateway/rdg.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libfreerdp/core/gateway/rdg.c b/libfreerdp/core/gateway/rdg.c
index 72019ede8..44de2c137 100644
--- a/libfreerdp/core/gateway/rdg.c
+++ b/libfreerdp/core/gateway/rdg.c
@@ -1190,7 +1190,7 @@ static BOOL rdg_handle_ntlm_challenge(rdpNtlm* ntlm, HttpResponse* response)
BOOL continueNeeded = FALSE;
size_t len;
const char* token64 = NULL;
- size_t ntlmTokenLength = 0;
+ int ntlmTokenLength = 0;
BYTE* ntlmTokenData = NULL;
long StatusCode;
--
2.33.1

34
Fixed-7436-Datatype-mismatch.patch
View File

@ -1,34 +0,0 @@
From 403402607214092d20277af3aa959ce87768580a Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Fri, 12 Nov 2021 16:01:39 +0100
Subject: [PATCH] Fixed #7436: Datatype mismatch
---
libfreerdp/core/gateway/ncacn_http.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libfreerdp/core/gateway/ncacn_http.c b/libfreerdp/core/gateway/ncacn_http.c
index f288a0f3c..75da83d62 100644
--- a/libfreerdp/core/gateway/ncacn_http.c
+++ b/libfreerdp/core/gateway/ncacn_http.c
@@ -105,7 +105,7 @@ BOOL rpc_ncacn_http_send_in_channel_request(RpcChannel* inChannel)
BOOL rpc_ncacn_http_recv_in_channel_response(RpcChannel* inChannel, HttpResponse* response)
{
const char* token64 = NULL;
- size_t ntlmTokenLength = 0;
+ int ntlmTokenLength = 0;
BYTE* ntlmTokenData = NULL;
rdpNtlm* ntlm;
@@ -259,7 +259,7 @@ BOOL rpc_ncacn_http_send_out_channel_request(RpcChannel* outChannel, BOOL replac
BOOL rpc_ncacn_http_recv_out_channel_response(RpcChannel* outChannel, HttpResponse* response)
{
const char* token64 = NULL;
- size_t ntlmTokenLength = 0;
+ int ntlmTokenLength = 0;
BYTE* ntlmTokenData = NULL;
rdpNtlm* ntlm;
--
2.33.1

39
Fixed-division-by-zero-in-urbdrc.patch
View File

@ -1,39 +0,0 @@
From b9c5e3668c4022b34734ac8ccb07dd044d4ff38c Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Thu, 13 Oct 2022 08:27:41 +0200
Subject: [PATCH] Fixed division by zero in urbdrc
(cherry picked from commit 731f8419d04b481d7160de1f34062d630ed48765)
---
channels/urbdrc/client/libusb/libusb_udevice.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/channels/urbdrc/client/libusb/libusb_udevice.c b/channels/urbdrc/client/libusb/libusb_udevice.c
index aa69890ae..5784d9fe2 100644
--- a/channels/urbdrc/client/libusb/libusb_udevice.c
+++ b/channels/urbdrc/client/libusb/libusb_udevice.c
@@ -1214,12 +1214,18 @@ static int libusb_udev_isoch_transfer(IUDEVICE* idev, URBDRC_CHANNEL_CALLBACK* c
if (!Buffer)
Stream_Seek(user_data->data, (NumberOfPackets * 12));
- iso_packet_size = BufferSize / NumberOfPackets;
- iso_transfer = libusb_alloc_transfer(NumberOfPackets);
+ if (NumberOfPackets > 0)
+ {
+ iso_packet_size = BufferSize / NumberOfPackets;
+ iso_transfer = libusb_alloc_transfer((int)NumberOfPackets);
+ }
if (iso_transfer == NULL)
{
- WLog_Print(urbdrc->log, WLOG_ERROR, "Error: libusb_alloc_transfer.");
+ WLog_Print(urbdrc->log, WLOG_ERROR,
+ "Error: libusb_alloc_transfer [NumberOfPackets=%" PRIu32 ", BufferSize=%" PRIu32
+ " ]",
+ NumberOfPackets, BufferSize);
async_transfer_user_data_free(user_data);
return -1;
}
--
2.37.1

122
Fixed-format-string-for-Stream_CheckAndLogRequiredLe.patch
View File

@ -1,122 +0,0 @@
From 6ed2f7d1a379f69cca102e8166d20eb5ed38652b Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Fri, 22 Apr 2022 16:27:21 +0200
Subject: [PATCH] Fixed format string for Stream_CheckAndLogRequiredLength
__LINE__ requires %d and not %PRIuz
(cherry picked from commit 74c1a006e940308b0653427d25a87ea5a24cb573)
---
winpr/include/winpr/stream.h | 14 ++++++++
winpr/libwinpr/utils/stream.c | 65 +++++++++++++++++++++++++++++++++++
2 files changed, 79 insertions(+)
diff --git a/winpr/include/winpr/stream.h b/winpr/include/winpr/stream.h
index f351eaa15..ed637f034 100644
--- a/winpr/include/winpr/stream.h
+++ b/winpr/include/winpr/stream.h
@@ -27,6 +27,8 @@
#include <winpr/wtypes.h>
#include <winpr/endian.h>
#include <winpr/synch.h>
+#include <winpr/wlog.h>
+#include <winpr/debug.h>
#ifdef __cplusplus
extern "C"
@@ -56,6 +57,19 @@ extern "C"
WINPR_API void Stream_StaticInit(wStream* s, BYTE* buffer, size_t size);
WINPR_API void Stream_Free(wStream* s, BOOL bFreeBuffer);
+#define Stream_CheckAndLogRequiredLength(tag, s, len) \
+ Stream_CheckAndLogRequiredLengthEx(tag, WLOG_WARN, s, len, "%s(%s:%d)", __FUNCTION__, \
+ __FILE__, __LINE__)
+ WINPR_API BOOL Stream_CheckAndLogRequiredLengthEx(const char* tag, DWORD level, wStream* s,
+ UINT64 len, const char* fmt, ...);
+ WINPR_API BOOL Stream_CheckAndLogRequiredLengthExVa(const char* tag, DWORD level, wStream* s,
+ UINT64 len, const char* fmt, va_list args);
+ WINPR_API BOOL Stream_CheckAndLogRequiredLengthWLogEx(wLog* log, DWORD level, wStream* s,
+ UINT64 len, const char* fmt, ...);
+ WINPR_API BOOL Stream_CheckAndLogRequiredLengthWLogExVa(wLog* log, DWORD level, wStream* s,
+ UINT64 len, const char* fmt,
+ va_list args);
+
static INLINE void Stream_Seek(wStream* s, size_t _offset)
{
s->pointer += (_offset);
diff --git a/winpr/libwinpr/utils/stream.c b/winpr/libwinpr/utils/stream.c
index 1271981b7..cc119c771 100644
--- a/winpr/libwinpr/utils/stream.c
+++ b/winpr/libwinpr/utils/stream.c
@@ -132,3 +132,68 @@ void Stream_Free(wStream* s, BOOL bFreeBuffer)
free(s);
}
}
+
+BOOL Stream_CheckAndLogRequiredLengthEx(const char* tag, DWORD level, wStream* s, UINT64 len,
+ const char* fmt, ...)
+{
+ const size_t actual = Stream_GetRemainingLength(s);
+
+ if (actual < len)
+ {
+ va_list args;
+
+ va_start(args, fmt);
+ Stream_CheckAndLogRequiredLengthExVa(tag, level, s, len, fmt, args);
+ va_end(args);
+
+ return FALSE;
+ }
+ return TRUE;
+}
+
+BOOL Stream_CheckAndLogRequiredLengthExVa(const char* tag, DWORD level, wStream* s, UINT64 len,
+ const char* fmt, va_list args)
+{
+ const size_t actual = Stream_GetRemainingLength(s);
+
+ if (actual < len)
+ return Stream_CheckAndLogRequiredLengthWLogExVa(WLog_Get(tag), level, s, len, fmt, args);
+ return TRUE;
+}
+
+BOOL Stream_CheckAndLogRequiredLengthWLogEx(wLog* log, DWORD level, wStream* s, UINT64 len,
+ const char* fmt, ...)
+{
+ const size_t actual = Stream_GetRemainingLength(s);
+
+ if (actual < len)
+ {
+ va_list args;
+
+ va_start(args, fmt);
+ Stream_CheckAndLogRequiredLengthWLogExVa(log, level, s, len, fmt, args);
+ va_end(args);
+
+ return FALSE;
+ }
+ return TRUE;
+}
+
+BOOL Stream_CheckAndLogRequiredLengthWLogExVa(wLog* log, DWORD level, wStream* s, UINT64 len,
+ const char* fmt, va_list args)
+{
+ const size_t actual = Stream_GetRemainingLength(s);
+
+ if (actual < len)
+ {
+ char prefix[1024] = { 0 };
+
+ vsnprintf(prefix, sizeof(prefix), fmt, args);
+
+ WLog_Print(log, level, "[%s] invalid length, got %" PRIuz ", require at least %" PRIu64,
+ prefix, actual, len);
+ winpr_log_backtrace_ex(log, level, 20);
+ return FALSE;
+ }
+ return TRUE;
+}
--
2.38.1

58
Fixed-missing-input-buffer-length-check-in-urbdrc.patch
View File

@ -1,58 +0,0 @@
From ddf9b3f852c31311f8d726012131f657c9857276 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Thu, 13 Oct 2022 08:47:51 +0200
Subject: [PATCH] Fixed missing input buffer length check in urbdrc
(cherry picked from commit 497df00f741dd4fc89292aaef2db7368aee45d0d)
---
channels/urbdrc/client/data_transfer.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/channels/urbdrc/client/data_transfer.c b/channels/urbdrc/client/data_transfer.c
index bb2784055..80e84af48 100644
--- a/channels/urbdrc/client/data_transfer.c
+++ b/channels/urbdrc/client/data_transfer.c
@@ -241,6 +241,10 @@ static UINT urbdrc_process_io_control(IUDEVICE* pdev, URBDRC_CHANNEL_CALLBACK* c
Stream_Read_UINT32(s, OutputBufferSize);
Stream_Read_UINT32(s, RequestId);
+
+ if (OutputBufferSize > UINT32_MAX - 4)
+ return ERROR_INVALID_DATA;
+
InterfaceId = ((STREAM_ID_PROXY << 30) | pdev->get_ReqCompletion(pdev));
out = urb_create_iocompletion(InterfaceId, MessageId, RequestId, OutputBufferSize + 4);
@@ -724,6 +728,15 @@ static UINT urb_bulk_or_interrupt_transfer(IUDEVICE* pdev, URBDRC_CHANNEL_CALLBA
Stream_Read_UINT32(s, TransferFlags); /** TransferFlags */
Stream_Read_UINT32(s, OutputBufferSize);
EndpointAddress = (PipeHandle & 0x000000ff);
+
+ if (transferDir == USBD_TRANSFER_DIRECTION_OUT)
+ {
+ if (!Stream_CheckAndLogRequiredLength(TAG, s, OutputBufferSize))
+ {
+ return ERROR_INVALID_DATA;
+ }
+ }
+
/** process TS_URB_BULK_OR_INTERRUPT_TRANSFER */
return pdev->bulk_or_interrupt_transfer(
pdev, callback, MessageId, RequestId, EndpointAddress, TransferFlags, noAck,
@@ -808,6 +821,13 @@ static UINT urb_isoch_transfer(IUDEVICE* pdev, URBDRC_CHANNEL_CALLBACK* callback
packetDescriptorData = Stream_Pointer(s);
Stream_Seek(s, NumberOfPackets * 12);
Stream_Read_UINT32(s, OutputBufferSize);
+
+ if (transferDir == USBD_TRANSFER_DIRECTION_OUT)
+ {
+ if (!Stream_CheckAndLogRequiredLength(TAG, s, OutputBufferSize))
+ return ERROR_INVALID_DATA;
+ }
+
return pdev->isoch_transfer(
pdev, callback, MessageId, RequestId, EndpointAddress, TransferFlags, StartFrame,
ErrorCount, noAck, packetDescriptorData, NumberOfPackets, OutputBufferSize,
--
2.37.1

29
Fixed-missing-length-check-in-video-channel.patch
View File

@ -1,29 +0,0 @@
From bf28ea249de57acc6dfadbd778afef2093c1c283 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Thu, 6 Oct 2022 09:15:40 +0200
Subject: [PATCH] Fixed missing length check in video channel
Data received in video redirection channel was not checked for
proper length.
(cherry picked from commit eeffd1050e9284d1464b58e049b2b4d88726632b)
---
channels/video/client/video_main.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/channels/video/client/video_main.c b/channels/video/client/video_main.c
index a21e7cdf2..a8031fc86 100644
--- a/channels/video/client/video_main.c
+++ b/channels/video/client/video_main.c
@@ -930,6 +930,8 @@ static UINT video_data_on_data_received(IWTSVirtualChannelCallback* pChannelCall
Stream_Read_UINT16(s, data.PacketsInSample);
Stream_Read_UINT32(s, data.SampleNumber);
Stream_Read_UINT32(s, data.cbSample);
+ if (!Stream_CheckAndLogRequiredLength(TAG, s, data.cbSample))
+ return ERROR_INVALID_DATA;
data.pSample = Stream_Pointer(s);
/*
--
2.37.1

28
Fixed-missing-stream-length-check-in-drive_file_quer.patch
View File

@ -1,28 +0,0 @@
From 80b2483373c00baec3a26b1d82027f16dfdd8859 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Mon, 24 Oct 2022 08:45:05 +0200
Subject: [PATCH] Fixed missing stream length check in
drive_file_query_directory
(cherry picked from commit 4e4bb79795d6ac85473fb7a83e53ccf63d204b93)
---
channels/drive/client/drive_main.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/channels/drive/client/drive_main.c b/channels/drive/client/drive_main.c
index d3776381c..b6cf2ad32 100644
--- a/channels/drive/client/drive_main.c
+++ b/channels/drive/client/drive_main.c
@@ -629,6 +629,9 @@ static UINT drive_process_irp_query_directory(DRIVE_DEVICE* drive, IRP* irp)
Stream_Read_UINT32(irp->input, PathLength);
Stream_Seek(irp->input, 23); /* Padding */
path = (WCHAR*)Stream_Pointer(irp->input);
+ if (!Stream_CheckAndLogRequiredLength(TAG, irp->input, PathLength))
+ return ERROR_INVALID_DATA;
+
file = drive_get_file_by_id(drive, irp->FileId);
if (file == NULL)
--
2.37.1

296
Fixed-path-validation-in-drive-channel.patch
View File

@ -1,296 +0,0 @@
From 865ba07a0fd4fbc7a8203482411aacca3bbfbb9f Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Mon, 24 Oct 2022 10:41:55 +0200
Subject: [PATCH] Fixed path validation in drive channel
Check that canonical path is a subpath of the shared directory
(cherry picked from commit 844c94e6d0438fa7bd8ff8d5513c3f69c3018b85)
---
channels/drive/client/drive_file.c | 106 ++++++++++++++++++-----------
channels/drive/client/drive_file.h | 8 +--
channels/drive/client/drive_main.c | 8 +--
3 files changed, 73 insertions(+), 49 deletions(-)
diff --git a/channels/drive/client/drive_file.c b/channels/drive/client/drive_file.c
index 305438593..1ea4ab9da 100644
--- a/channels/drive/client/drive_file.c
+++ b/channels/drive/client/drive_file.c
@@ -34,6 +34,7 @@
#include <stdlib.h>
#include <string.h>
#include <time.h>
+#include <assert.h>
#include <winpr/wtypes.h>
#include <winpr/crt.h>
@@ -61,10 +62,14 @@
} while (0)
#endif
-static void drive_file_fix_path(WCHAR* path)
+static BOOL drive_file_fix_path(WCHAR* path, size_t length)
{
size_t i;
- size_t length = _wcslen(path);
+
+ if ((length == 0) || (length > UINT32_MAX))
+ return FALSE;
+
+ assert(path);
for (i = 0; i < length; i++)
{
@@ -75,58 +79,82 @@ static void drive_file_fix_path(WCHAR* path)
#ifdef WIN32
if ((length == 3) && (path[1] == L':') && (path[2] == L'/'))
- return;
+ return FALSE;
#else
if ((length == 1) && (path[0] == L'/'))
- return;
+ return FALSE;
#endif
if ((length > 0) && (path[length - 1] == L'/'))
path[length - 1] = L'\0';
+
+ return TRUE;
}
static WCHAR* drive_file_combine_fullpath(const WCHAR* base_path, const WCHAR* path,
- size_t PathLength)
+ size_t PathWCharLength)
{
- WCHAR* fullpath;
- size_t base_path_length;
+ BOOL ok = FALSE;
+ WCHAR* fullpath = NULL;
+ size_t length;
- if (!base_path || (!path && (PathLength > 0)))
- return NULL;
+ if (!base_path || (!path && (PathWCharLength > 0)))
+ goto fail;
- base_path_length = _wcslen(base_path) * 2;
- fullpath = (WCHAR*)calloc(1, base_path_length + PathLength + sizeof(WCHAR));
+ const size_t base_path_length = _wcsnlen(base_path, MAX_PATH);
+ length = base_path_length + PathWCharLength + 1;
+ fullpath = (WCHAR*)calloc(length, sizeof(WCHAR));
if (!fullpath)
+ goto fail;
+
+ CopyMemory(fullpath, base_path, base_path_length * sizeof(WCHAR));
+ if (path)
+ CopyMemory(&fullpath[base_path_length], path, PathWCharLength * sizeof(WCHAR));
+
+ if (!drive_file_fix_path(fullpath, length))
+ goto fail;
+
+ /* Ensure the path does not contain sequences like '..' */
+ const WCHAR dotdot[] = { '.', '.', '\0' };
+ if (_wcsstr(&fullpath[base_path_length], dotdot))
{
- WLog_ERR(TAG, "malloc failed!");
- return NULL;
+ char abuffer[MAX_PATH] = { 0 };
+ ConvertFromUnicode(CP_UTF8, 0, &fullpath[base_path_length], -1, (char**)&abuffer,
+ ARRAYSIZE(abuffer) - 1, NULL, NULL);
+
+ WLog_WARN(TAG, "[rdpdr] received invalid file path '%s' from server, aborting!",
+ &abuffer[base_path_length]);
+ goto fail;
}
- CopyMemory(fullpath, base_path, base_path_length);
- if (path)
- CopyMemory((char*)fullpath + base_path_length, path, PathLength);
- drive_file_fix_path(fullpath);
+ ok = TRUE;
+fail:
+ if (!ok)
+ {
+ free(fullpath);
+ fullpath = NULL;
+ }
return fullpath;
}
static BOOL drive_file_remove_dir(const WCHAR* path)
{
- WIN32_FIND_DATAW findFileData;
+ WIN32_FIND_DATAW findFileData = { 0 };
BOOL ret = TRUE;
- HANDLE dir;
- WCHAR* fullpath;
- WCHAR* path_slash;
- size_t base_path_length;
+ HANDLE dir = INVALID_HANDLE_VALUE;
+ WCHAR* fullpath = NULL;
+ WCHAR* path_slash = NULL;
+ size_t base_path_length = 0;
if (!path)
return FALSE;
- base_path_length = _wcslen(path) * 2;
- path_slash = (WCHAR*)calloc(1, base_path_length + sizeof(WCHAR) * 3);
+ base_path_length = _wcslen(path);
+ path_slash = (WCHAR*)calloc(base_path_length + 3, sizeof(WCHAR));
if (!path_slash)
{
@@ -134,12 +162,11 @@ static BOOL drive_file_remove_dir(const WCHAR* path)
return FALSE;
}
- CopyMemory(path_slash, path, base_path_length);
- path_slash[base_path_length / 2] = L'/';
- path_slash[base_path_length / 2 + 1] = L'*';
+ CopyMemory(path_slash, path, base_path_length * sizeof(WCHAR));
+ path_slash[base_path_length] = L'/';
+ path_slash[base_path_length + 1] = L'*';
DEBUG_WSTR("Search in %s", path_slash);
dir = FindFirstFileW(path_slash, &findFileData);
- path_slash[base_path_length / 2 + 1] = 0;
if (dir == INVALID_HANDLE_VALUE)
{
@@ -149,7 +176,7 @@ static BOOL drive_file_remove_dir(const WCHAR* path)
do
{
- size_t len = _wcslen(findFileData.cFileName);
+ const size_t len = _wcsnlen(findFileData.cFileName, ARRAYSIZE(findFileData.cFileName));
if ((len == 1 && findFileData.cFileName[0] == L'.') ||
(len == 2 && findFileData.cFileName[0] == L'.' && findFileData.cFileName[1] == L'.'))
@@ -157,7 +184,7 @@ static BOOL drive_file_remove_dir(const WCHAR* path)
continue;
}
- fullpath = drive_file_combine_fullpath(path_slash, findFileData.cFileName, len * 2);
+ fullpath = drive_file_combine_fullpath(path_slash, findFileData.cFileName, len);
DEBUG_WSTR("Delete %s", fullpath);
if (findFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
@@ -333,13 +360,13 @@ static BOOL drive_file_init(DRIVE_FILE* file)
return file->file_handle != INVALID_HANDLE_VALUE;
}
-DRIVE_FILE* drive_file_new(const WCHAR* base_path, const WCHAR* path, UINT32 PathLength, UINT32 id,
- UINT32 DesiredAccess, UINT32 CreateDisposition, UINT32 CreateOptions,
- UINT32 FileAttributes, UINT32 SharedAccess)
+DRIVE_FILE* drive_file_new(const WCHAR* base_path, const WCHAR* path, UINT32 PathWCharLength,
+ UINT32 id, UINT32 DesiredAccess, UINT32 CreateDisposition,
+ UINT32 CreateOptions, UINT32 FileAttributes, UINT32 SharedAccess)
{
DRIVE_FILE* file;
- if (!base_path || (!path && (PathLength > 0)))
+ if (!base_path || (!path && (PathWCharLength > 0)))
return NULL;
file = (DRIVE_FILE*)calloc(1, sizeof(DRIVE_FILE));
@@ -359,7 +386,7 @@ DRIVE_FILE* drive_file_new(const WCHAR* base_path, const WCHAR* path, UINT32 Pat
file->CreateDisposition = CreateDisposition;
file->CreateOptions = CreateOptions;
file->SharedAccess = SharedAccess;
- drive_file_set_fullpath(file, drive_file_combine_fullpath(base_path, path, PathLength));
+ drive_file_set_fullpath(file, drive_file_combine_fullpath(base_path, path, PathWCharLength));
if (!drive_file_init(file))
{
@@ -714,13 +741,10 @@ BOOL drive_file_set_information(DRIVE_FILE* file, UINT32 FsInformationClass, UIN
return FALSE;
fullpath = drive_file_combine_fullpath(file->basepath, (WCHAR*)Stream_Pointer(input),
- FileNameLength);
+ FileNameLength / sizeof(WCHAR));
if (!fullpath)
- {
- WLog_ERR(TAG, "drive_file_combine_fullpath failed!");
return FALSE;
- }
#ifdef _WIN32
@@ -759,7 +783,7 @@ BOOL drive_file_set_information(DRIVE_FILE* file, UINT32 FsInformationClass, UIN
}
BOOL drive_file_query_directory(DRIVE_FILE* file, UINT32 FsInformationClass, BYTE InitialQuery,
- const WCHAR* path, UINT32 PathLength, wStream* output)
+ const WCHAR* path, UINT32 PathWCharLength, wStream* output)
{
size_t length;
WCHAR* ent_path;
@@ -773,7 +797,7 @@ BOOL drive_file_query_directory(DRIVE_FILE* file, UINT32 FsInformationClass, BYT
if (file->find_handle != INVALID_HANDLE_VALUE)
FindClose(file->find_handle);
- ent_path = drive_file_combine_fullpath(file->basepath, path, PathLength);
+ ent_path = drive_file_combine_fullpath(file->basepath, path, PathWCharLength);
/* open new search handle and retrieve the first entry */
file->find_handle = FindFirstFileW(ent_path, &file->find_data);
free(ent_path);
diff --git a/channels/drive/client/drive_file.h b/channels/drive/client/drive_file.h
index ed789d6f0..6d3bd7045 100644
--- a/channels/drive/client/drive_file.h
+++ b/channels/drive/client/drive_file.h
@@ -51,9 +51,9 @@ struct _DRIVE_FILE
UINT32 CreateOptions;
};
-DRIVE_FILE* drive_file_new(const WCHAR* base_path, const WCHAR* path, UINT32 PathLength, UINT32 id,
- UINT32 DesiredAccess, UINT32 CreateDisposition, UINT32 CreateOptions,
- UINT32 FileAttributes, UINT32 SharedAccess);
+DRIVE_FILE* drive_file_new(const WCHAR* base_path, const WCHAR* path, UINT32 PathWCharLength,
+ UINT32 id, UINT32 DesiredAccess, UINT32 CreateDisposition,
+ UINT32 CreateOptions, UINT32 FileAttributes, UINT32 SharedAccess);
BOOL drive_file_free(DRIVE_FILE* file);
BOOL drive_file_open(DRIVE_FILE* file);
@@ -64,6 +64,6 @@ BOOL drive_file_query_information(DRIVE_FILE* file, UINT32 FsInformationClass, w
BOOL drive_file_set_information(DRIVE_FILE* file, UINT32 FsInformationClass, UINT32 Length,
wStream* input);
BOOL drive_file_query_directory(DRIVE_FILE* file, UINT32 FsInformationClass, BYTE InitialQuery,
- const WCHAR* path, UINT32 PathLength, wStream* output);
+ const WCHAR* path, UINT32 PathWCharLength, wStream* output);
#endif /* FREERDP_CHANNEL_DRIVE_FILE_H */
diff --git a/channels/drive/client/drive_main.c b/channels/drive/client/drive_main.c
index 1b5422522..d3776381c 100644
--- a/channels/drive/client/drive_main.c
+++ b/channels/drive/client/drive_main.c
@@ -184,8 +184,8 @@ static UINT drive_process_irp_create(DRIVE_DEVICE* drive, IRP* irp)
path = (const WCHAR*)Stream_Pointer(irp->input);
FileId = irp->devman->id_sequence++;
- file = drive_file_new(drive->path, path, PathLength, FileId, DesiredAccess, CreateDisposition,
- CreateOptions, FileAttributes, SharedAccess);
+ file = drive_file_new(drive->path, path, PathLength / sizeof(WCHAR), FileId, DesiredAccess,
+ CreateDisposition, CreateOptions, FileAttributes, SharedAccess);
if (!file)
{
@@ -636,8 +636,8 @@ static UINT drive_process_irp_query_directory(DRIVE_DEVICE* drive, IRP* irp)
irp->IoStatus = STATUS_UNSUCCESSFUL;
Stream_Write_UINT32(irp->output, 0); /* Length */
}
- else if (!drive_file_query_directory(file, FsInformationClass, InitialQuery, path, PathLength,
- irp->output))
+ else if (!drive_file_query_directory(file, FsInformationClass, InitialQuery, path,
+ PathLength / sizeof(WCHAR), irp->output))
{
irp->IoStatus = drive_map_windows_err(GetLastError());
}
--
2.37.1

67
Implement-BIO_CTRL_GET_KTLS_SEND-and-BIO_CTRL_GET_KT.patch
View File

@ -1,67 +0,0 @@
From 1a0f68d2058f361fc23ed9babcd618a838744bf8 Mon Sep 17 00:00:00 2001
From: akarl <mike@mwsys.mine.bz>
Date: Sun, 24 Apr 2022 21:16:52 +0200
Subject: [PATCH] Implement BIO_CTRL_GET_KTLS_SEND and BIO_CTRL_GET_KTLS_SEND
Openssl 3.0 requires to respond to this controls. According to there
documentation it should not need them, but in practice openssl's own source
is full of places where negative return values are not checked.
(cherry picked from commit 9d7c20ce8fe50bd6de54e7480b5096761a510daf)
---
libfreerdp/core/gateway/rdg.c | 18 +++++++++++++++++-
libfreerdp/core/gateway/tsg.c | 9 ++++++++-
2 files changed, 25 insertions(+), 2 deletions(-)
diff --git a/libfreerdp/core/gateway/rdg.c b/libfreerdp/core/gateway/rdg.c
index 72019ede8..5d970f39e 100644
--- a/libfreerdp/core/gateway/rdg.c
+++ b/libfreerdp/core/gateway/rdg.c
@@ -2483,7 +2483,23 @@ static long rdg_bio_ctrl(BIO* in_bio, int cmd, long arg1, void* arg2)
*/
status = BIO_ctrl(tlsOut->bio, cmd, arg1, arg2);
}
-
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ else if (cmd == BIO_CTRL_GET_KTLS_SEND)
+ {
+ /* Even though BIO_get_ktls_send says that returning negative values is valid
+ * openssl internal sources are full of if(!BIO_get_ktls_send && ) stuff. This has some
+ * nasty sideeffects. return 0 as proper no KTLS offloading flag
+ */
+ status = 0;
+ }
+ else if (cmd == BIO_CTRL_GET_KTLS_RECV)
+ {
+ /* Even though BIO_get_ktls_recv says that returning negative values is valid
+ * there is no reason to trust trust negative values are implemented right everywhere
+ */
+ status = 0;
+ }
+#endif
return status;
}
diff --git a/libfreerdp/core/gateway/tsg.c b/libfreerdp/core/gateway/tsg.c
index c03f266f2..70fdf9e27 100644
--- a/libfreerdp/core/gateway/tsg.c
+++ b/libfreerdp/core/gateway/tsg.c
@@ -2716,7 +2716,14 @@ static long transport_bio_tsg_ctrl(BIO* bio, int cmd, long arg1, void* arg2)
status = 1;
}
break;
-
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ case BIO_CTRL_GET_KTLS_SEND:
+ status = 0;
+ break;
+ case BIO_CTRL_GET_KTLS_RECV:
+ status = 0;
+ break;
+#endif
default:
break;
}
--
2.36.1

32
aeac3040cc99eeaff1e1171a822114c857b9dca9.patch Normal file
View File

@ -0,0 +1,32 @@
From aeac3040cc99eeaff1e1171a822114c857b9dca9 Mon Sep 17 00:00:00 2001
From: Armin Novak <anovak@thincast.com>
Date: Sat, 13 Jan 2024 21:01:55 +0100
Subject: [PATCH] [codec,planar] check resolution for overflow
If the codec resolution is too large return an error as the internal
buffers would otherwise overflow.
(cherry picked from commit 44edab1deae4f8c901c00a00683f888cef36d853)
---
libfreerdp/codec/planar.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/libfreerdp/codec/planar.c b/libfreerdp/codec/planar.c
index b4815a632309..0a5ec581c6cc 100644
--- a/libfreerdp/codec/planar.c
+++ b/libfreerdp/codec/planar.c
@@ -1496,7 +1496,13 @@ BOOL freerdp_bitmap_planar_context_reset(BITMAP_PLANAR_CONTEXT* context, UINT32
context->bgr = FALSE;
context->maxWidth = PLANAR_ALIGN(width, 4);
context->maxHeight = PLANAR_ALIGN(height, 4);
- context->maxPlaneSize = context->maxWidth * context->maxHeight;
+ const UINT64 tmp = (UINT64)context->maxWidth * context->maxHeight;
+ if (tmp > UINT32_MAX)
+ return FALSE;
+ context->maxPlaneSize = tmp;
+
+ if (context->maxWidth > UINT32_MAX / 4)
+ return FALSE;
context->nTempStep = context->maxWidth * 4;
free(context->planesBuffer);
free(context->pTempData);

77
freerdp.spec
View File

@ -1,18 +1,23 @@
# Can be rebuilt with FFmpeg/H264 support enabled by passing "--with=ffmpeg",
# "--with=x264" or "--with=openh264" to mock/rpmbuild; or by globally setting
# these variables:
# Can be rebuilt with FFmpeg/OpenH264 support enabled by passing
# "--with=ffmpeg", or "--with=openh264" to mock/rpmbuild; or by globally
# setting these variables:
# https://bugzilla.redhat.com/show_bug.cgi?id=2242028
#global _with_ffmpeg 1
#global _with_x264 1
#global _with_openh264 1
# Can be rebuilt with OpenCL support enabled by passing # "--with=opencl"
# or by globally setting:
#global _opencl 1
# Momentarily disable GSS support
# https://github.com/FreeRDP/FreeRDP/issues/4348
#global _with_gss 1
# Disable server support in RHEL
# https://bugzilla.redhat.com/show_bug.cgi?id=1639165
%{!?rhel:%global _with_server 1}
%if 0%{?fedora} || 0%{?rhel} >= 10
%global _with_server 1
%endif
# Disable support for missing codecs in RHEL
%{!?rhel:%global _with_soxr 1}
@ -21,8 +26,8 @@
%endif
Name: freerdp
Version: 2.4.1
Release: 5%{?dist}
Version: 2.11.2
Release: 2%{?dist}
Epoch: 2
Summary: Free implementation of the Remote Desktop Protocol (RDP)
License: ASL 2.0
@ -30,34 +35,8 @@ URL: http://www.freerdp.com/
Source0: https://github.com/FreeRDP/FreeRDP/archive/%{version}/FreeRDP-%{version}.tar.gz
# https://github.com/FreeRDP/FreeRDP/issues/7436
Patch0: Fixed-7436-Datatype-mismatch-to-crypto_base64_decode.patch
Patch1: Fixed-7436-Datatype-mismatch.patch
# https://github.com/FreeRDP/FreeRDP/pull/7448
Patch2: winpr-ssl-Load-legacy-provider-when-initializing-Ope.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2023262
Patch3: Implement-BIO_CTRL_GET_KTLS_SEND-and-BIO_CTRL_GET_KT.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2136152
Patch4: Fix-length-checks-in-parallel-driver.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2136154
Patch5: Fixed-missing-length-check-in-video-channel.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2145140
Patch6: Added-missing-length-checks-in-zgfx_decompress_segme.patch
Patch7: Fixed-division-by-zero-in-urbdrc.patch
Patch8: Added-missing-length-check-in-urb_control_transfer.patch
Patch9: Fixed-missing-input-buffer-length-check-in-urbdrc.patch
Patch10: Ensure-urb_create_iocompletion-uses-size_t-for-calcu.patch
Patch11: Added-function-_wcsncmp.patch
Patch12: winpr-crt-Fix-wcs-cmp-and-wcs-len-checks.patch
Patch13: winpr-crt-Added-wcsstr-implementation.patch
Patch14: Fixed-path-validation-in-drive-channel.patch
Patch15: Fixed-missing-stream-length-check-in-drive_file_quer.patch
Patch16: Fixed-format-string-for-Stream_CheckAndLogRequiredLe.patch
# https://issues.redhat.com/browse/RHEL-22244
Patch: aeac3040cc99eeaff1e1171a822114c857b9dca9.patch
BuildRequires: gcc
BuildRequires: gcc-c++
@ -78,6 +57,8 @@ BuildRequires: libxkbfile-devel
BuildRequires: libXrandr-devel
%{?_with_server:BuildRequires: libXtst-devel}
BuildRequires: libXv-devel
%{?_with_opencl:BuildRequires: opencl-headers >= 3.0}
%{?_with_opencl:BuildRequires: ocl-icd-devel}
%{?_with_openh264:BuildRequires: openh264-devel}
%{?_with_x264:BuildRequires: x264-devel}
%{?_with_server:BuildRequires: pam-devel}
@ -86,16 +67,6 @@ BuildRequires: zlib-devel
BuildRequires: multilib-rpm-config
BuildRequires: pkgconfig(cairo)
BuildRequires: pkgconfig(dbus-1)
BuildRequires: pkgconfig(dbus-glib-1)
BuildRequires: pkgconfig(glib-2.0)
BuildRequires: pkgconfig(gstreamer-1.0)
BuildRequires: pkgconfig(gstreamer-base-1.0)
BuildRequires: pkgconfig(gstreamer-app-1.0)
BuildRequires: pkgconfig(gstreamer-audio-1.0)
BuildRequires: pkgconfig(gstreamer-fft-1.0)
BuildRequires: pkgconfig(gstreamer-pbutils-1.0)
BuildRequires: pkgconfig(gstreamer-video-1.0)
%{?_with_gss:BuildRequires: pkgconfig(krb5) >= 1.13}
BuildRequires: pkgconfig(libpcsclite)
BuildRequires: pkgconfig(libpulse)
@ -193,15 +164,16 @@ find . -name "*.c" -exec chmod 664 {} \;
-DWITH_CHANNELS=ON -DBUILTIN_CHANNELS=OFF \
-DWITH_CLIENT=ON \
-DWITH_DIRECTFB=OFF \
-DWITH_DSP_FFMPEG=%{?_with_ffmpeg:ON}%{?!_with_ffmpeg:OFF} \
-DWITH_FFMPEG=%{?_with_ffmpeg:ON}%{?!_with_ffmpeg:OFF} \
-DWITH_GSM=ON \
-DWITH_GSSAPI=%{?_with_gss:ON}%{?!_with_gss:OFF} \
-DWITH_GSTREAMER_1_0=ON -DWITH_GSTREAMER_0_10=OFF \
-DWITH_ICU=ON \
-DWITH_IPP=OFF \
-DWITH_JPEG=ON \
-DWITH_LAME=%{?_with_lame:ON}%{?!_with_lame:OFF} \
-DWITH_MANPAGES=ON \
-DWITH_OPENCL=%{?_with_opencl:ON}%{?!_with_opencl:OFF} \
-DWITH_OPENH264=%{?_with_openh264:ON}%{?!_with_openh264:OFF} \
-DWITH_OPENSSL=ON \
-DWITH_PCSC=ON \
@ -213,7 +185,6 @@ find . -name "*.c" -exec chmod 664 {} \;
-DWITH_SOXR=%{?_with_soxr:ON}%{?!_with_soxr:OFF} \
-DWITH_WAYLAND=ON \
-DWITH_X11=ON \
-DWITH_X264=%{?_with_x264:ON}%{?!_with_x264:OFF} \
-DWITH_XCURSOR=ON \
-DWITH_XEXT=ON \
-DWITH_XKBFILE=ON \
@ -241,7 +212,7 @@ find . -name "*.c" -exec chmod 664 {} \;
-DARM_FP_ABI=soft \
-DWITH_NEON=OFF \
%endif
.
%{nil}
%cmake_build
@ -324,6 +295,14 @@ find %{buildroot} -name "*.a" -delete
%{_libdir}/pkgconfig/winpr-tools2.pc
%changelog
* Tue Mar 12 2024 Ondrej Holy <oholy@redhat.com> - 2:2.11.2-2
- CVE-2024-22211: Check codec resolution for overflow (RHEL-22244)
* Fri Nov 10 2023 Ondrej Holy <oholy@redhat.com> - 2:2.11.2-1
- Update to 2.11.2 (RHEL-4290, RHEL-4292, RHEL-4296, RHEL-4298, RHEL-4300,
RHEL-4302, RHEL-4304, RHEL-4306, RHEL-4308, RHEL-4310, RHEL-4312,
RHEL-10060)
* Tue Dec 13 2022 Ondrej Holy <oholy@redhat.com> - 2:2.4.1-5
- Fix "implicit declaration of function" errors (#2136155, #2145140)

2
sources
View File

@ -1 +1 @@
SHA512 (FreeRDP-2.4.1.tar.gz) = a02c2fac8f90142b8b7a36e31a720c79d7947c32fc8d4ac1c976e4f01467b3d78c50b00974af1db6e3e61c2c81ac77c1ac9bf889d14e4be084afa18b634e28f0
SHA512 (FreeRDP-2.11.2.tar.gz) = 722d95d7591b5ce6a7e8a3b6ac8999df278dbcfc286a532f56bcbc4a3881e75b02c7e3cd4b296e67bc19d1165020acdcca198bf4bcc92aea5611760037fcc57f

66
winpr-crt-Added-wcsstr-implementation.patch
View File

@ -1,66 +0,0 @@
From ddc6dacd06b41ed5001b1c884b5d5c9e0a70e275 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Thu, 10 Nov 2022 15:54:28 +0100
Subject: [PATCH] [winpr, crt] Added wcsstr implementation
(cherry picked from commit 6c034ba6117a4efc9266e845fe9a9a92ed4ee61d)
---
winpr/include/winpr/string.h | 3 +++
winpr/libwinpr/crt/string.c | 20 ++++++++++++++++++++
2 files changed, 23 insertions(+)
diff --git a/winpr/include/winpr/string.h b/winpr/include/winpr/string.h
index 3b907c444..2d7126210 100644
--- a/winpr/include/winpr/string.h
+++ b/winpr/include/winpr/string.h
@@ -62,6 +62,8 @@ extern "C"
WINPR_API size_t _wcslen(const WCHAR* str);
WINPR_API size_t _wcsnlen(const WCHAR* str, size_t maxNumberOfElements);
+ WINPR_API WCHAR* _wcsstr(const WCHAR* str, const WCHAR* strSearch);
+
WINPR_API WCHAR* _wcschr(const WCHAR* str, WCHAR c);
WINPR_API WCHAR* _wcsrchr(const WCHAR* str, WCHAR c);
@@ -74,6 +76,7 @@ extern "C"
#define _wcsncmp wcsncmp
#define _wcslen wcslen
#define _wcsnlen wcsnlen
+#define _wcsstr wcsstr
#define _wcschr wcschr
#define _wcsrchr wcsrchr
diff --git a/winpr/libwinpr/crt/string.c b/winpr/libwinpr/crt/string.c
index 5dcf4b3f1..efd7d166c 100644
--- a/winpr/libwinpr/crt/string.c
+++ b/winpr/libwinpr/crt/string.c
@@ -147,6 +147,26 @@ size_t _wcsnlen(const WCHAR* str, size_t max)
return x;
}
+/* _wcsstr -> wcsstr */
+
+WCHAR* _wcsstr(const WCHAR* str, const WCHAR* strSearch)
+{
+ assert(str);
+ assert(strSearch);
+
+ if (strSearch[0] == '\0')
+ return str;
+
+ const size_t searchLen = _wcslen(strSearch);
+ while (*str)
+ {
+ if (_wcsncmp(str, strSearch, searchLen) == 0)
+ return str;
+ str++;
+ }
+ return NULL;
+}
+
/* _wcschr -> wcschr */
WCHAR* _wcschr(const WCHAR* str, WCHAR c)
--
2.37.1

90
winpr-crt-Fix-wcs-cmp-and-wcs-len-checks.patch
View File

@ -1,90 +0,0 @@
From fb9d753af70b449dd7a17898d46fd57822a08dc1 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Thu, 10 Nov 2022 14:21:22 +0100
Subject: [PATCH] [winpr, crt] Fix wcs*cmp and wcs*len checks
(cherry picked from commit b60fac1a0470fe83e8d0b448f0fd7e9e6d6a0f96)
---
winpr/libwinpr/crt/string.c | 30 +++++++++++++++++++-----------
1 file changed, 19 insertions(+), 11 deletions(-)
diff --git a/winpr/libwinpr/crt/string.c b/winpr/libwinpr/crt/string.c
index c25ffa279..5dcf4b3f1 100644
--- a/winpr/libwinpr/crt/string.c
+++ b/winpr/libwinpr/crt/string.c
@@ -26,6 +26,7 @@
#include <wctype.h>
#include <winpr/crt.h>
+#include <assert.h>
#include <winpr/endian.h>
/* String Manipulation (CRT): http://msdn.microsoft.com/en-us/library/f0151s4x.aspx */
@@ -80,21 +81,28 @@ int _strnicmp(const char* string1, const char* string2, size_t count)
int _wcscmp(const WCHAR* string1, const WCHAR* string2)
{
- WCHAR value1, value2;
+ assert(string1);
+ assert(string2);
- while (*string1 && (*string1 == *string2))
+ while (TRUE)
{
- string1++;
- string2++;
+ const WCHAR w1 = *string1++;
+ const WCHAR w2 = *string2++;
+
+ if (w1 != w2)
+ return (int)w1 - w2;
+ else if ((w1 == '\0') || (w2 == '\0'))
+ return (int)w1 - w2;
}
- Data_Read_UINT16(string1, value1);
- Data_Read_UINT16(string2, value2);
- return (int)value1 - value2;
+ return 0;
}
int _wcsncmp(const WCHAR* string1, const WCHAR* string2, size_t count)
{
+ assert(string1);
+ assert(string2);
+
for (size_t x = 0; x < count; x++)
{
const WCHAR a = string1[x];
@@ -102,6 +110,8 @@ int _wcsncmp(const WCHAR* string1, const WCHAR* string2, size_t count)
if (a != b)
return (int)a - b;
+ else if ((a == '\0') || (b == '\0'))
+ return (int)a - b;
}
return 0;
}
@@ -112,8 +122,7 @@ size_t _wcslen(const WCHAR* str)
{
const WCHAR* p = (const WCHAR*)str;
- if (!p)
- return 0;
+ assert(p);
while (*p)
p++;
@@ -127,8 +136,7 @@ size_t _wcsnlen(const WCHAR* str, size_t max)
{
size_t x;
- if (!str)
- return 0;
+ assert(str);
for (x = 0; x < max; x++)
{
--
2.37.1

61
winpr-ssl-Load-legacy-provider-when-initializing-Ope.patch
View File

@ -1,61 +0,0 @@
From 2d0b58759ba823bbc372ac19fea5080f4261c26e Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Tue, 16 Nov 2021 16:12:33 +0100
Subject: [PATCH] winpr/ssl: Load legacy provider when initializing OpenSSL 3.0
With OpenSSL 3.O, FreeRDP log contains errors like:
```
4036740A4C7F0000:error:0308010C:digital envelope routines:
inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:346:
Global default library context, Algorithm (MD4 : 85), Properties ()
```
This leads to connection failures in some cases. This is because algorithms
like MD4 are now part of the legacy provider, which is not loaded by
default. Let's explicitly load that provider. With this change, also the
other provides has to be explicitely loaded.
---
winpr/libwinpr/utils/ssl.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/winpr/libwinpr/utils/ssl.c b/winpr/libwinpr/utils/ssl.c
index 74ef156e7..392f8e227 100644
--- a/winpr/libwinpr/utils/ssl.c
+++ b/winpr/libwinpr/utils/ssl.c
@@ -33,6 +33,10 @@
#include <openssl/ssl.h>
#include <openssl/err.h>
+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
+#include <openssl/provider.h>
+#endif
+
#include "../log.h"
#define TAG WINPR_TAG("utils.ssl")
@@ -245,6 +249,7 @@ static BOOL winpr_enable_fips(DWORD flags)
WLog_DBG(TAG, "Ensuring openssl fips mode is ENabled");
#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
+ OSSL_PROVIDER_load(NULL, "fips");
if (!EVP_default_properties_is_fips_enabled(NULL))
#else
if (FIPS_mode() != 1)
@@ -305,6 +310,13 @@ static BOOL CALLBACK _winpr_openssl_initialize(PINIT_ONCE once, PVOID param, PVO
return FALSE;
#endif
+
+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
+ /* The legacy provider is needed for MD4. */
+ OSSL_PROVIDER_load(NULL, "legacy");
+ OSSL_PROVIDER_load(NULL, "default");
+#endif
+
g_winpr_openssl_initialized_by_winpr = TRUE;
return winpr_enable_fips(flags);
}
--
2.33.1