summarylogtreecommitdiffstats
path: root/CVE-2018-8789.patch
diff options
context:
space:
mode:
Diffstat (limited to 'CVE-2018-8789.patch')
-rw-r--r--CVE-2018-8789.patch27
1 files changed, 27 insertions, 0 deletions
diff --git a/CVE-2018-8789.patch b/CVE-2018-8789.patch
new file mode 100644
index 000000000000..1aec14058174
--- /dev/null
+++ b/CVE-2018-8789.patch
@@ -0,0 +1,27 @@
+Backport of:
+
+From 2ee663f39dc8dac3d9988e847db19b2d7e3ac8c6 Mon Sep 17 00:00:00 2001
+From: Armin Novak <armin.novak@thincast.com>
+Date: Mon, 22 Oct 2018 16:00:03 +0200
+Subject: [PATCH] Fixed CVE-2018-8789
+
+Thanks to Eyal Itkin from Check Point Software Technologies.
+---
+ winpr/libwinpr/sspi/NTLM/ntlm_message.c | 24 +++++++++++++-----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+Index: freerdp-1.1.0~git20140921.1.440916e+dfsg1/winpr/libwinpr/sspi/NTLM/ntlm_message.c
+===================================================================
+--- freerdp-1.1.0~git20140921.1.440916e+dfsg1.orig/winpr/libwinpr/sspi/NTLM/ntlm_message.c
++++ freerdp-1.1.0~git20140921.1.440916e+dfsg1/winpr/libwinpr/sspi/NTLM/ntlm_message.c
+@@ -146,6 +146,10 @@ void ntlm_read_message_fields_buffer(wSt
+ {
+ if (fields->Len > 0)
+ {
++ const UINT64 offset = (UINT64)fields->BufferOffset + (UINT64)fields->Len;
++
++ if (offset > Stream_Length(s))
++ return;
+ fields->Buffer = malloc(fields->Len);
+ Stream_SetPosition(s, fields->BufferOffset);
+ Stream_Read(s, fields->Buffer, fields->Len);