CVE-2018-8789.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

Backport of:

From 2ee663f39dc8dac3d9988e847db19b2d7e3ac8c6 Mon Sep 17 00:00:00 2001
From: Armin Novak <armin.novak@thincast.com>
Date: Mon, 22 Oct 2018 16:00:03 +0200
Subject: [PATCH] Fixed CVE-2018-8789

Thanks to Eyal Itkin from Check Point Software Technologies.
---
 winpr/libwinpr/sspi/NTLM/ntlm_message.c | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

Index: freerdp-1.1.0~git20140921.1.440916e+dfsg1/winpr/libwinpr/sspi/NTLM/ntlm_message.c
===================================================================
--- freerdp-1.1.0~git20140921.1.440916e+dfsg1.orig/winpr/libwinpr/sspi/NTLM/ntlm_message.c
+++ freerdp-1.1.0~git20140921.1.440916e+dfsg1/winpr/libwinpr/sspi/NTLM/ntlm_message.c
@@ -146,6 +146,10 @@ void ntlm_read_message_fields_buffer(wSt
 {
 	if (fields->Len > 0)
 	{
+		const UINT64 offset = (UINT64)fields->BufferOffset + (UINT64)fields->Len;
+
+		if (offset > Stream_Length(s))
+			return;
 		fields->Buffer = malloc(fields->Len);
 		Stream_SetPosition(s, fields->BufferOffset);
 		Stream_Read(s, fields->Buffer, fields->Len);