Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE
freerdp.9501
freerdp-CVE-2018-8784.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File freerdp-CVE-2018-8784.patch of Package freerdp.9501
From 17c363a5162fd4dc77b1df54e48d7bd9bf6b3be7 Mon Sep 17 00:00:00 2001 From: Armin Novak <armin.novak@thincast.com> Date: Mon, 22 Oct 2018 17:51:26 +0200 Subject: [PATCH 6/6] Fixed CVE-2018-8784 Thanks to Eyal Itkin from Check Point Software Technologies. --- libfreerdp/codec/zgfx.c | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) Index: b/libfreerdp/codec/zgfx.c =================================================================== --- a/libfreerdp/codec/zgfx.c 2019-01-09 22:14:39.334977268 +0800 +++ b/libfreerdp/codec/zgfx.c 2019-01-09 22:15:28.047296783 +0800 @@ -132,6 +132,7 @@ static INLINE BOOL zgfx_GetBits(ZGFX_CON _zgfx->cBitsCurrent -= _nbits; _zgfx->bits = _zgfx->BitsCurrent >> _zgfx->cBitsCurrent; _zgfx->BitsCurrent &= ((1 << _zgfx->cBitsCurrent) - 1); + return TRUE; } void zgfx_history_buffer_ring_write(ZGFX_CONTEXT* zgfx, BYTE* src, UINT32 count) @@ -228,7 +229,7 @@ int zgfx_decompress_segment(ZGFX_CONTEXT UINT32 count; UINT32 distance; - if (cbSegment < 1) + if (!zgfx || cbSegment < 1) return -1; flags = pbSegment[0]; /* header (1 byte) */ @@ -241,6 +242,10 @@ int zgfx_decompress_segment(ZGFX_CONTEXT if (!(flags & PACKET_COMPRESSED)) { zgfx_history_buffer_ring_write(zgfx, pbSegment, cbSegment); + + if (cbSegment > sizeof(zgfx->OutputBuffer)) + return -1; + CopyMemory(zgfx->OutputBuffer, pbSegment, cbSegment); zgfx->OutputCount = cbSegment; @@ -283,6 +288,9 @@ int zgfx_decompress_segment(ZGFX_CONTEXT if (++zgfx->HistoryIndex == zgfx->HistoryBufferSize) zgfx->HistoryIndex = 0; + if (zgfx->OutputCount >= sizeof(zgfx->OutputBuffer)) + return -1; + zgfx->OutputBuffer[zgfx->OutputCount++] = c; } else @@ -319,6 +327,9 @@ int zgfx_decompress_segment(ZGFX_CONTEXT count += zgfx->bits; } + if (count > sizeof(zgfx->OutputBuffer) - zgfx->OutputCount) + return -1; + zgfx_history_buffer_ring_read(zgfx, distance, &(zgfx->OutputBuffer[zgfx->OutputCount]), count); zgfx_history_buffer_ring_write(zgfx, &(zgfx->OutputBuffer[zgfx->OutputCount]), count); zgfx->OutputCount += count; @@ -334,6 +345,9 @@ int zgfx_decompress_segment(ZGFX_CONTEXT zgfx->cBitsCurrent = 0; zgfx->BitsCurrent = 0; + if (count > sizeof(zgfx->OutputBuffer) - zgfx->OutputCount) + return -1; + CopyMemory(&(zgfx->OutputBuffer[zgfx->OutputCount]), zgfx->pbInputCurrent, count); zgfx_history_buffer_ring_write(zgfx, zgfx->pbInputCurrent, count);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor