diff options
Diffstat (limited to 'CVE-2018-8787.patch')
-rw-r--r-- | CVE-2018-8787.patch | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/CVE-2018-8787.patch b/CVE-2018-8787.patch new file mode 100644 index 000000000000..49b5c3959f79 --- /dev/null +++ b/CVE-2018-8787.patch @@ -0,0 +1,51 @@ +Backport of: + +From 09b9d4f1994a674c4ec85b4947aa656eda1aed8a Mon Sep 17 00:00:00 2001 +From: Armin Novak <armin.novak@thincast.com> +Date: Mon, 22 Oct 2018 16:30:20 +0200 +Subject: [PATCH] Fixed CVE-2018-8787 + +Thanks to Eyal Itkin from Check Point Software Technologies. +--- + libfreerdp/gdi/graphics.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +Index: freerdp-1.1.0~git20140921.1.440916e+dfsg1/libfreerdp/gdi/graphics.c +=================================================================== +--- freerdp-1.1.0~git20140921.1.440916e+dfsg1.orig/libfreerdp/gdi/graphics.c ++++ freerdp-1.1.0~git20140921.1.440916e+dfsg1/libfreerdp/gdi/graphics.c +@@ -23,6 +23,7 @@ + + #include <winpr/crt.h> + ++#include <stdint.h> + #include <freerdp/gdi/dc.h> + #include <freerdp/gdi/brush.h> + #include <freerdp/gdi/shape.h> +@@ -98,7 +99,7 @@ void gdi_Bitmap_Decompress(rdpContext* c + BYTE* data, int width, int height, int bpp, int length, + BOOL compressed, int codec_id) + { +- UINT16 size; ++ UINT32 size; + RFX_MESSAGE* msg; + BYTE* src; + BYTE* dst; +@@ -107,7 +108,16 @@ void gdi_Bitmap_Decompress(rdpContext* c + rdpGdi* gdi; + BOOL status; + +- size = width * height * ((bpp + 7) / 8); ++ size = width * height; ++ ++ if (bpp <= 0 || width <= 0 || height <= 0 || ++ width > (UINT32_MAX / height) || ++ size > (UINT32_MAX / (bpp + 7) / 8)) ++ { ++ printf("Invalid parameters, unable to decompress bitmap\n"); ++ return; ++ } ++ size *= (bpp + 7) / 8; + + if (bitmap->data == NULL) + bitmap->data = (BYTE*) malloc(size); |