summarylogtreecommitdiffstats
path: root/CVE-2014-0791.patch
diff options
context:
space:
mode:
Diffstat (limited to 'CVE-2014-0791.patch')
-rw-r--r--CVE-2014-0791.patch24
1 files changed, 24 insertions, 0 deletions
diff --git a/CVE-2014-0791.patch b/CVE-2014-0791.patch
new file mode 100644
index 000000000000..42939bc46b6a
--- /dev/null
+++ b/CVE-2014-0791.patch
@@ -0,0 +1,24 @@
+From f1d6afca6ae620f9855a33280bdc6f3ad9153be0 Mon Sep 17 00:00:00 2001
+From: Hardening <rdp.effort@gmail.com>
+Date: Wed, 8 Jan 2014 16:12:51 +0100
+Subject: [PATCH] Fix CVE-2014-0791
+
+This patch fixes CVE-2014-0791, the remaining length in the stream is checked
+before doing some malloc().
+---
+ libfreerdp/core/license.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+Index: freerdp-1.1.0~git20140921.1.440916e+dfsg1/libfreerdp/core/license.c
+===================================================================
+--- freerdp-1.1.0~git20140921.1.440916e+dfsg1.orig/libfreerdp/core/license.c 2017-08-23 11:07:13.453296923 -0400
++++ freerdp-1.1.0~git20140921.1.440916e+dfsg1/libfreerdp/core/license.c 2017-08-23 11:07:13.449296923 -0400
+@@ -677,6 +677,8 @@ BOOL license_read_scope_list(wStream* s,
+ return FALSE;
+
+ Stream_Read_UINT32(s, scopeCount); /* ScopeCount (4 bytes) */
++ if (scopeCount > Stream_GetRemainingLength(s) / 4) /* every blob is at least 4 bytes */
++ return FALSE;
+
+ scopeList->count = scopeCount;
+ scopeList->array = (LICENSE_BLOB*) malloc(sizeof(LICENSE_BLOB) * scopeCount);