diff options
Diffstat (limited to 'CVE-2014-0791.patch')
-rw-r--r-- | CVE-2014-0791.patch | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/CVE-2014-0791.patch b/CVE-2014-0791.patch new file mode 100644 index 000000000000..42939bc46b6a --- /dev/null +++ b/CVE-2014-0791.patch @@ -0,0 +1,24 @@ +From f1d6afca6ae620f9855a33280bdc6f3ad9153be0 Mon Sep 17 00:00:00 2001 +From: Hardening <rdp.effort@gmail.com> +Date: Wed, 8 Jan 2014 16:12:51 +0100 +Subject: [PATCH] Fix CVE-2014-0791 + +This patch fixes CVE-2014-0791, the remaining length in the stream is checked +before doing some malloc(). +--- + libfreerdp/core/license.c | 2 ++ + 1 file changed, 2 insertions(+) + +Index: freerdp-1.1.0~git20140921.1.440916e+dfsg1/libfreerdp/core/license.c +=================================================================== +--- freerdp-1.1.0~git20140921.1.440916e+dfsg1.orig/libfreerdp/core/license.c 2017-08-23 11:07:13.453296923 -0400 ++++ freerdp-1.1.0~git20140921.1.440916e+dfsg1/libfreerdp/core/license.c 2017-08-23 11:07:13.449296923 -0400 +@@ -677,6 +677,8 @@ BOOL license_read_scope_list(wStream* s, + return FALSE; + + Stream_Read_UINT32(s, scopeCount); /* ScopeCount (4 bytes) */ ++ if (scopeCount > Stream_GetRemainingLength(s) / 4) /* every blob is at least 4 bytes */ ++ return FALSE; + + scopeList->count = scopeCount; + scopeList->array = (LICENSE_BLOB*) malloc(sizeof(LICENSE_BLOB) * scopeCount); |