1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
Backport of:
From 09b9d4f1994a674c4ec85b4947aa656eda1aed8a Mon Sep 17 00:00:00 2001
From: Armin Novak <armin.novak@thincast.com>
Date: Mon, 22 Oct 2018 16:30:20 +0200
Subject: [PATCH] Fixed CVE-2018-8787
Thanks to Eyal Itkin from Check Point Software Technologies.
---
libfreerdp/gdi/graphics.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
Index: freerdp-1.1.0~git20140921.1.440916e+dfsg1/libfreerdp/gdi/graphics.c
===================================================================
--- freerdp-1.1.0~git20140921.1.440916e+dfsg1.orig/libfreerdp/gdi/graphics.c
+++ freerdp-1.1.0~git20140921.1.440916e+dfsg1/libfreerdp/gdi/graphics.c
@@ -23,6 +23,7 @@
#include <winpr/crt.h>
+#include <stdint.h>
#include <freerdp/gdi/dc.h>
#include <freerdp/gdi/brush.h>
#include <freerdp/gdi/shape.h>
@@ -98,7 +99,7 @@ void gdi_Bitmap_Decompress(rdpContext* c
BYTE* data, int width, int height, int bpp, int length,
BOOL compressed, int codec_id)
{
- UINT16 size;
+ UINT32 size;
RFX_MESSAGE* msg;
BYTE* src;
BYTE* dst;
@@ -107,7 +108,16 @@ void gdi_Bitmap_Decompress(rdpContext* c
rdpGdi* gdi;
BOOL status;
- size = width * height * ((bpp + 7) / 8);
+ size = width * height;
+
+ if (bpp <= 0 || width <= 0 || height <= 0 ||
+ width > (UINT32_MAX / height) ||
+ size > (UINT32_MAX / (bpp + 7) / 8))
+ {
+ printf("Invalid parameters, unable to decompress bitmap\n");
+ return;
+ }
+ size *= (bpp + 7) / 8;
if (bitmap->data == NULL)
bitmap->data = (BYTE*) malloc(size);
|