1 files changed, 51 insertions, 0 deletions

diff --git a/CVE-2018-8787.patch b/CVE-2018-8787.patch
new file mode 100644
index 000000000000..49b5c3959f79
--- /dev/null
+++ b/CVE-2018-8787.patch
@@ -0,0 +1,51 @@
+Backport of:
+
+From 09b9d4f1994a674c4ec85b4947aa656eda1aed8a Mon Sep 17 00:00:00 2001
+From: Armin Novak <armin.novak@thincast.com>
+Date: Mon, 22 Oct 2018 16:30:20 +0200
+Subject: [PATCH] Fixed CVE-2018-8787
+
+Thanks to Eyal Itkin from Check Point Software Technologies.
+---
+ libfreerdp/gdi/graphics.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+Index: freerdp-1.1.0~git20140921.1.440916e+dfsg1/libfreerdp/gdi/graphics.c
+===================================================================
+--- freerdp-1.1.0~git20140921.1.440916e+dfsg1.orig/libfreerdp/gdi/graphics.c
++++ freerdp-1.1.0~git20140921.1.440916e+dfsg1/libfreerdp/gdi/graphics.c
+@@ -23,6 +23,7 @@
+ 
+ #include <winpr/crt.h>
+ 
++#include <stdint.h>
+ #include <freerdp/gdi/dc.h>
+ #include <freerdp/gdi/brush.h>
+ #include <freerdp/gdi/shape.h>
+@@ -98,7 +99,7 @@ void gdi_Bitmap_Decompress(rdpContext* c
+ 		BYTE* data, int width, int height, int bpp, int length,
+ 		BOOL compressed, int codec_id)
+ {
+-	UINT16 size;
++	UINT32 size;
+ 	RFX_MESSAGE* msg;
+ 	BYTE* src;
+ 	BYTE* dst;
+@@ -107,7 +108,16 @@ void gdi_Bitmap_Decompress(rdpContext* c
+ 	rdpGdi* gdi;
+ 	BOOL status;
+ 
+-	size = width * height * ((bpp + 7) / 8);
++	size = width * height;
++
++       if (bpp <= 0 || width <= 0 || height <= 0 ||
++	   width > (UINT32_MAX / height) ||
++	   size > (UINT32_MAX / (bpp + 7) / 8))
++       {
++		printf("Invalid parameters, unable to decompress bitmap\n");
++		return;
++       }
++	size *= (bpp + 7) / 8;
+ 
+ 	if (bitmap->data == NULL)
+ 		bitmap->data = (BYTE*) malloc(size);