diff options
Diffstat (limited to 'CVE-2018-8787.patch')
-rw-r--r-- | CVE-2018-8787.patch | 51 |
1 files changed, 0 insertions, 51 deletions
diff --git a/CVE-2018-8787.patch b/CVE-2018-8787.patch deleted file mode 100644 index 49b5c3959f79..000000000000 --- a/CVE-2018-8787.patch +++ /dev/null @@ -1,51 +0,0 @@ -Backport of: - -From 09b9d4f1994a674c4ec85b4947aa656eda1aed8a Mon Sep 17 00:00:00 2001 -From: Armin Novak <armin.novak@thincast.com> -Date: Mon, 22 Oct 2018 16:30:20 +0200 -Subject: [PATCH] Fixed CVE-2018-8787 - -Thanks to Eyal Itkin from Check Point Software Technologies. ---- - libfreerdp/gdi/graphics.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -Index: freerdp-1.1.0~git20140921.1.440916e+dfsg1/libfreerdp/gdi/graphics.c -=================================================================== ---- freerdp-1.1.0~git20140921.1.440916e+dfsg1.orig/libfreerdp/gdi/graphics.c -+++ freerdp-1.1.0~git20140921.1.440916e+dfsg1/libfreerdp/gdi/graphics.c -@@ -23,6 +23,7 @@ - - #include <winpr/crt.h> - -+#include <stdint.h> - #include <freerdp/gdi/dc.h> - #include <freerdp/gdi/brush.h> - #include <freerdp/gdi/shape.h> -@@ -98,7 +99,7 @@ void gdi_Bitmap_Decompress(rdpContext* c - BYTE* data, int width, int height, int bpp, int length, - BOOL compressed, int codec_id) - { -- UINT16 size; -+ UINT32 size; - RFX_MESSAGE* msg; - BYTE* src; - BYTE* dst; -@@ -107,7 +108,16 @@ void gdi_Bitmap_Decompress(rdpContext* c - rdpGdi* gdi; - BOOL status; - -- size = width * height * ((bpp + 7) / 8); -+ size = width * height; -+ -+ if (bpp <= 0 || width <= 0 || height <= 0 || -+ width > (UINT32_MAX / height) || -+ size > (UINT32_MAX / (bpp + 7) / 8)) -+ { -+ printf("Invalid parameters, unable to decompress bitmap\n"); -+ return; -+ } -+ size *= (bpp + 7) / 8; - - if (bitmap->data == NULL) - bitmap->data = (BYTE*) malloc(size); |