From f1d6afca6ae620f9855a33280bdc6f3ad9153be0 Mon Sep 17 00:00:00 2001
From: Hardening <rdp.effort@gmail.com>
Date: Wed, 8 Jan 2014 16:12:51 +0100
Subject: [PATCH] Fix CVE-2014-0791

This patch fixes CVE-2014-0791, the remaining length in the stream is checked
before doing some malloc().
---
 libfreerdp/core/license.c | 2 ++
 1 file changed, 2 insertions(+)

Index: freerdp-1.1.0~git20140921.1.440916e+dfsg1/libfreerdp/core/license.c
===================================================================
--- freerdp-1.1.0~git20140921.1.440916e+dfsg1.orig/libfreerdp/core/license.c	2017-08-23 11:07:13.453296923 -0400
+++ freerdp-1.1.0~git20140921.1.440916e+dfsg1/libfreerdp/core/license.c	2017-08-23 11:07:13.449296923 -0400
@@ -677,6 +677,8 @@ BOOL license_read_scope_list(wStream* s,
 		return FALSE;
 
 	Stream_Read_UINT32(s, scopeCount); /* ScopeCount (4 bytes) */
+	if (scopeCount > Stream_GetRemainingLength(s) / 4)  /* every blob is at least 4 bytes */
+		return FALSE;
 
 	scopeList->count = scopeCount;
 	scopeList->array = (LICENSE_BLOB*) malloc(sizeof(LICENSE_BLOB) * scopeCount);