blob: 42939bc46b6a499c2bdc0fd813bff1089e2b35b9 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
From f1d6afca6ae620f9855a33280bdc6f3ad9153be0 Mon Sep 17 00:00:00 2001
From: Hardening <rdp.effort@gmail.com>
Date: Wed, 8 Jan 2014 16:12:51 +0100
Subject: [PATCH] Fix CVE-2014-0791
This patch fixes CVE-2014-0791, the remaining length in the stream is checked
before doing some malloc().
---
libfreerdp/core/license.c | 2 ++
1 file changed, 2 insertions(+)
Index: freerdp-1.1.0~git20140921.1.440916e+dfsg1/libfreerdp/core/license.c
===================================================================
--- freerdp-1.1.0~git20140921.1.440916e+dfsg1.orig/libfreerdp/core/license.c 2017-08-23 11:07:13.453296923 -0400
+++ freerdp-1.1.0~git20140921.1.440916e+dfsg1/libfreerdp/core/license.c 2017-08-23 11:07:13.449296923 -0400
@@ -677,6 +677,8 @@ BOOL license_read_scope_list(wStream* s,
return FALSE;
Stream_Read_UINT32(s, scopeCount); /* ScopeCount (4 bytes) */
+ if (scopeCount > Stream_GetRemainingLength(s) / 4) /* every blob is at least 4 bytes */
+ return FALSE;
scopeList->count = scopeCount;
scopeList->array = (LICENSE_BLOB*) malloc(sizeof(LICENSE_BLOB) * scopeCount);
|