diff options
Diffstat (limited to 'CVE-2018-8789.patch')
-rw-r--r-- | CVE-2018-8789.patch | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/CVE-2018-8789.patch b/CVE-2018-8789.patch new file mode 100644 index 000000000000..1aec14058174 --- /dev/null +++ b/CVE-2018-8789.patch @@ -0,0 +1,27 @@ +Backport of: + +From 2ee663f39dc8dac3d9988e847db19b2d7e3ac8c6 Mon Sep 17 00:00:00 2001 +From: Armin Novak <armin.novak@thincast.com> +Date: Mon, 22 Oct 2018 16:00:03 +0200 +Subject: [PATCH] Fixed CVE-2018-8789 + +Thanks to Eyal Itkin from Check Point Software Technologies. +--- + winpr/libwinpr/sspi/NTLM/ntlm_message.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +Index: freerdp-1.1.0~git20140921.1.440916e+dfsg1/winpr/libwinpr/sspi/NTLM/ntlm_message.c +=================================================================== +--- freerdp-1.1.0~git20140921.1.440916e+dfsg1.orig/winpr/libwinpr/sspi/NTLM/ntlm_message.c ++++ freerdp-1.1.0~git20140921.1.440916e+dfsg1/winpr/libwinpr/sspi/NTLM/ntlm_message.c +@@ -146,6 +146,10 @@ void ntlm_read_message_fields_buffer(wSt + { + if (fields->Len > 0) + { ++ const UINT64 offset = (UINT64)fields->BufferOffset + (UINT64)fields->Len; ++ ++ if (offset > Stream_Length(s)) ++ return; + fields->Buffer = malloc(fields->Len); + Stream_SetPosition(s, fields->BufferOffset); + Stream_Read(s, fields->Buffer, fields->Len); |