freerdp/Added-missing-length-checks-in-zgfx_decompress_segme.patch
Ondrej Holy 916e606784 Fix multiple CVE issues
CVE-2022-39316, CVE-2022-39317: Add missing length checks in zgfx
CVE-2022-39318: Fix division by zero in urbdrc channel
CVE-2022-39319: Add missing length checks in urbdrc channel
CVE-2022-39320: Ensure urb_create_iocompletion uses size_t
CVE-2022-39347: Fix path validation in drive channel
CVE-2022-41877: Add missing length check in drive channel

Resolves: #2145140
2022-12-09 11:46:01 +01:00

52 lines
1.7 KiB
Diff

From babbd1e433d273634637f5199429986714864033 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Thu, 13 Oct 2022 09:09:28 +0200
Subject: [PATCH] Added missing length checks in zgfx_decompress_segment
(cherry picked from commit 64716b335858109d14f27b51acc4c4d71a92a816)
---
libfreerdp/codec/zgfx.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/libfreerdp/codec/zgfx.c b/libfreerdp/codec/zgfx.c
index 1a2878bd9..04ddeadb2 100644
--- a/libfreerdp/codec/zgfx.c
+++ b/libfreerdp/codec/zgfx.c
@@ -230,19 +230,19 @@ static BOOL zgfx_decompress_segment(ZGFX_CONTEXT* zgfx, wStream* stream, size_t
BYTE* pbSegment;
size_t cbSegment;
- if (!zgfx || !stream)
+ if (!zgfx || !stream || (segmentSize < 2))
return FALSE;
cbSegment = segmentSize - 1;
- if ((Stream_GetRemainingLength(stream) < segmentSize) || (segmentSize < 1) ||
- (segmentSize > UINT32_MAX))
+ if ((Stream_GetRemainingLength(stream) < segmentSize) || (segmentSize > UINT32_MAX))
return FALSE;
Stream_Read_UINT8(stream, flags); /* header (1 byte) */
zgfx->OutputCount = 0;
pbSegment = Stream_Pointer(stream);
- Stream_Seek(stream, cbSegment);
+ if (!Stream_SafeSeek(stream, cbSegment))
+ return FALSE;
if (!(flags & PACKET_COMPRESSED))
{
@@ -346,6 +346,9 @@ static BOOL zgfx_decompress_segment(ZGFX_CONTEXT* zgfx, wStream* stream, size_t
if (count > sizeof(zgfx->OutputBuffer) - zgfx->OutputCount)
return FALSE;
+ if (count > zgfx->cBitsRemaining / 8)
+ return FALSE;
+
CopyMemory(&(zgfx->OutputBuffer[zgfx->OutputCount]), zgfx->pbInputCurrent,
count);
zgfx_history_buffer_ring_write(zgfx, zgfx->pbInputCurrent, count);
--
2.37.1