Backport of:

From 09b9d4f1994a674c4ec85b4947aa656eda1aed8a Mon Sep 17 00:00:00 2001
From: Armin Novak <armin.novak@thincast.com>
Date: Mon, 22 Oct 2018 16:30:20 +0200
Subject: [PATCH] Fixed CVE-2018-8787

Thanks to Eyal Itkin from Check Point Software Technologies.
---
 libfreerdp/gdi/graphics.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

Index: freerdp-1.1.0~git20140921.1.440916e+dfsg1/libfreerdp/gdi/graphics.c
===================================================================
--- freerdp-1.1.0~git20140921.1.440916e+dfsg1.orig/libfreerdp/gdi/graphics.c
+++ freerdp-1.1.0~git20140921.1.440916e+dfsg1/libfreerdp/gdi/graphics.c
@@ -23,6 +23,7 @@
 
 #include <winpr/crt.h>
 
+#include <stdint.h>
 #include <freerdp/gdi/dc.h>
 #include <freerdp/gdi/brush.h>
 #include <freerdp/gdi/shape.h>
@@ -98,7 +99,7 @@ void gdi_Bitmap_Decompress(rdpContext* c
 		BYTE* data, int width, int height, int bpp, int length,
 		BOOL compressed, int codec_id)
 {
-	UINT16 size;
+	UINT32 size;
 	RFX_MESSAGE* msg;
 	BYTE* src;
 	BYTE* dst;
@@ -107,7 +108,16 @@ void gdi_Bitmap_Decompress(rdpContext* c
 	rdpGdi* gdi;
 	BOOL status;
 
-	size = width * height * ((bpp + 7) / 8);
+	size = width * height;
+
+       if (bpp <= 0 || width <= 0 || height <= 0 ||
+	   width > (UINT32_MAX / height) ||
+	   size > (UINT32_MAX / (bpp + 7) / 8))
+       {
+		printf("Invalid parameters, unable to decompress bitmap\n");
+		return;
+       }
+	size *= (bpp + 7) / 8;
 
 	if (bitmap->data == NULL)
 		bitmap->data = (BYTE*) malloc(size);