File xrdp-CVE-2022-23477.patch of Package xrdp.31568

Overview Repositories Revisions Requests Users Attributes Meta

File xrdp-CVE-2022-23477.patch of Package xrdp.31568

From 1ba314c80ebd18ee4c4d8459b79d6ee8badf1ad0 Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Tue, 6 Dec 2022 11:31:31 +0000
Subject: [PATCH] CVE-2022-23477

Prevent buffer overflow for oversized audio format from client
---
 sesman/chansrv/audin.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/sesman/chansrv/audin.c b/sesman/chansrv/audin.c
index 1ca2de30..9d25749b 100644
--- a/sesman/chansrv/audin.c
+++ b/sesman/chansrv/audin.c
@@ -181,15 +181,16 @@ audin_send_open(int chan_id)
     int error;
     int bytes;
     struct stream *s;
-    struct xr_wave_format_ex *wf;
+    struct xr_wave_format_ex *wf = g_client_formats[g_current_format];
 
     LOG(0, ("audin_send_open:"));
     make_stream(s);
-    init_stream(s, 8192);
+    /* wf->cbSize was checked when the format was received */
+    init_stream(s, wf->cbSize + 64);
+
     out_uint8(s, MSG_SNDIN_OPEN);
     out_uint32_le(s, 2048); /* FramesPerPacket */
     out_uint32_le(s, g_current_format); /* initialFormat */
-    wf = g_client_formats[g_current_format];
     out_uint16_le(s, wf->wFormatTag);
     out_uint16_le(s, wf->nChannels);
     out_uint32_le(s, wf->nSamplesPerSec);
-- 
2.39.0

Places

File xrdp-CVE-2022-23477.patch of Package xrdp.31568

Places