initial version

1 files changed, 79 insertions, 0 deletions

diff --git a/CVE-2014-0791.patch b/CVE-2014-0791.patch
new file mode 100644
index 000000000000..a47d804d1f9c
--- /dev/null
+++ b/CVE-2014-0791.patch
@@ -0,0 +1,79 @@
+--- a/libfreerdp-core/license.h	2013-01-03 05:46:59.000000000 +0800
++++ b/libfreerdp-core/license.h	2014-04-09 19:11:59.593507658 +0800
+@@ -177,9 +177,9 @@
+ 
+ SCOPE_LIST* license_new_scope_list();
+ void license_free_scope_list(SCOPE_LIST* scopeList);
+-void license_read_scope_list(STREAM* s, SCOPE_LIST* scopeList);
++boolean license_read_scope_list(STREAM* s, SCOPE_LIST* scopeList);
+ 
+-void license_read_license_request_packet(rdpLicense* license, STREAM* s);
++boolean license_read_license_request_packet(rdpLicense* license, STREAM* s);
+ void license_read_platform_challenge_packet(rdpLicense* license, STREAM* s);
+ void license_read_new_license_packet(rdpLicense* license, STREAM* s);
+ void license_read_upgrade_license_packet(rdpLicense* license, STREAM* s);
+--- a/libfreerdp-core/license.c	2013-01-03 05:46:59.000000000 +0800
++++ b/libfreerdp-core/license.c	2014-04-09 19:11:59.593507658 +0800
+@@ -199,7 +199,8 @@
+ 	switch (bMsgType)
+ 	{
+ 		case LICENSE_REQUEST:
+-			license_read_license_request_packet(license, s);
++			if(!license_read_license_request_packet(license, s))
++				return false;
+ 			license_send_new_license_request_packet(license);
+ 			break;
+ 
+@@ -533,13 +534,16 @@
+  * @param scopeList scope list
+  */
+ 
+-void license_read_scope_list(STREAM* s, SCOPE_LIST* scopeList)
++boolean license_read_scope_list(STREAM* s, SCOPE_LIST* scopeList)
+ {
+ 	uint32 i;
+ 	uint32 scopeCount;
+ 
+ 	stream_read_uint32(s, scopeCount); /* ScopeCount (4 bytes) */
+ 
++	if (scopeCount > stream_get_length(s) / 4)  /* every blob is at least 4 bytes */
++		return false;
++
+ 	scopeList->count = scopeCount;
+ 	scopeList->array = (LICENSE_BLOB*) xmalloc(sizeof(LICENSE_BLOB) * scopeCount);
+ 
+@@ -549,6 +553,7 @@
+ 		scopeList->array[i].type = BB_SCOPE_BLOB;
+ 		license_read_binary_blob(s, &scopeList->array[i]);
+ 	}
++	return true;
+ }
+ 
+ /**
+@@ -593,7 +598,7 @@
+  * @param s stream
+  */
+ 
+-void license_read_license_request_packet(rdpLicense* license, STREAM* s)
++boolean license_read_license_request_packet(rdpLicense* license, STREAM* s)
+ {
+ 	/* ServerRandom (32 bytes) */
+ 	stream_read(s, license->server_random, 32);
+@@ -608,7 +613,8 @@
+ 	license_read_binary_blob(s, license->server_certificate);
+ 
+ 	/* ScopeList */
+-	license_read_scope_list(s, license->scope_list);
++	if(!license_read_scope_list(s, license->scope_list))
++		return false;
+ 
+ 	/* Parse Server Certificate */
+ 	certificate_read_server_certificate(license->certificate,
+@@ -617,6 +623,7 @@
+ 	license_generate_keys(license);
+ 	license_generate_hwid(license);
+ 	license_encrypt_premaster_secret(license);
++	return true;
+ }
+ 
+ /**