diff options
| -rw-r--r-- | meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32039.patch | 78 | ||||
| -rw-r--r-- | meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb | 1 |
2 files changed, 79 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32039.patch b/meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32039.patch new file mode 100644 index 0000000000..4def7320b9 --- /dev/null +++ b/meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32039.patch | |||
| @@ -0,0 +1,78 @@ | |||
| 1 | From 519c08d4720950dbeef8e671431ff8a6ea4e2927 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: akallabeth <akallabeth@posteo.net> | ||
| 3 | Date: Tue, 16 Apr 2024 08:35:05 +0200 | ||
| 4 | Subject: [PATCH] fix integer overflow | ||
| 5 | |||
| 6 | reorder check to prevent possible integer overflow | ||
| 7 | |||
| 8 | (cherry picked from commit 3a2a241b8fcfee853e35cc54bec00375096fedd9) | ||
| 9 | |||
| 10 | CVE: CVE-2024-32039 | ||
| 11 | Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/d88ad1acd142769650a6159906ac90f46a766265] | ||
| 12 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 13 | --- | ||
| 14 | libfreerdp/codec/clear.c | 2 +- | ||
| 15 | libfreerdp/codec/zgfx.c | 16 +++++++++++----- | ||
| 16 | 2 files changed, 12 insertions(+), 6 deletions(-) | ||
| 17 | |||
| 18 | diff --git a/libfreerdp/codec/clear.c b/libfreerdp/codec/clear.c | ||
| 19 | index fadd98e67..0e169cf9d 100644 | ||
| 20 | --- a/libfreerdp/codec/clear.c | ||
| 21 | +++ b/libfreerdp/codec/clear.c | ||
| 22 | @@ -410,7 +410,7 @@ static BOOL clear_decompress_residual_data(CLEAR_CONTEXT* clear, wStream* s, | ||
| 23 | } | ||
| 24 | } | ||
| 25 | |||
| 26 | - if ((pixelIndex + runLengthFactor) > pixelCount) | ||
| 27 | + if ((pixelIndex >= pixelCount) || (runLengthFactor > (pixelCount - pixelIndex))) | ||
| 28 | { | ||
| 29 | WLog_ERR(TAG, | ||
| 30 | "pixelIndex %" PRIu32 " + runLengthFactor %" PRIu32 " > pixelCount %" PRIu32 | ||
| 31 | diff --git a/libfreerdp/codec/zgfx.c b/libfreerdp/codec/zgfx.c | ||
| 32 | index 4489b3798..3ed5067c8 100644 | ||
| 33 | --- a/libfreerdp/codec/zgfx.c | ||
| 34 | +++ b/libfreerdp/codec/zgfx.c | ||
| 35 | @@ -23,6 +23,8 @@ | ||
| 36 | #include "config.h" | ||
| 37 | #endif | ||
| 38 | |||
| 39 | +#include <assert.h> | ||
| 40 | + | ||
| 41 | #include <winpr/crt.h> | ||
| 42 | #include <winpr/print.h> | ||
| 43 | #include <winpr/bitstream.h> | ||
| 44 | @@ -230,7 +232,10 @@ static BOOL zgfx_decompress_segment(ZGFX_CONTEXT* zgfx, wStream* stream, size_t | ||
| 45 | BYTE* pbSegment; | ||
| 46 | size_t cbSegment; | ||
| 47 | |||
| 48 | - if (!zgfx || !stream || (segmentSize < 2)) | ||
| 49 | + assert((zgfx) && "Assert failed: zgfx"); | ||
| 50 | + assert((stream) && "Assert failed: stream"); | ||
| 51 | + | ||
| 52 | + if (segmentSize < 2) | ||
| 53 | return FALSE; | ||
| 54 | |||
| 55 | cbSegment = segmentSize - 1; | ||
| 56 | @@ -349,8 +354,9 @@ static BOOL zgfx_decompress_segment(ZGFX_CONTEXT* zgfx, wStream* stream, size_t | ||
| 57 | |||
| 58 | if (count > sizeof(zgfx->OutputBuffer) - zgfx->OutputCount) | ||
| 59 | return FALSE; | ||
| 60 | - | ||
| 61 | - if (count > zgfx->cBitsRemaining / 8) | ||
| 62 | + else if (count > zgfx->cBitsRemaining / 8) | ||
| 63 | + return FALSE; | ||
| 64 | + else if (zgfx->pbInputCurrent + count > zgfx->pbInputEnd) | ||
| 65 | return FALSE; | ||
| 66 | |||
| 67 | CopyMemory(&(zgfx->OutputBuffer[zgfx->OutputCount]), zgfx->pbInputCurrent, | ||
| 68 | @@ -377,8 +383,8 @@ int zgfx_decompress(ZGFX_CONTEXT* zgfx, const BYTE* pSrcData, UINT32 SrcSize, BY | ||
| 69 | BYTE descriptor; | ||
| 70 | wStream* stream = Stream_New((BYTE*)pSrcData, SrcSize); | ||
| 71 | |||
| 72 | - if (!stream) | ||
| 73 | - return -1; | ||
| 74 | + assert((zgfx) && "Assert failed: zgfx"); | ||
| 75 | + assert((stream) && "Assert failed: stream"); | ||
| 76 | |||
| 77 | if (Stream_GetRemainingLength(stream) < 1) | ||
| 78 | goto fail; | ||
diff --git a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb index 9ad95e1700..c616a55958 100644 --- a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb +++ b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb | |||
| @@ -32,6 +32,7 @@ SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https | |||
| 32 | file://CVE-2023-40569.patch \ | 32 | file://CVE-2023-40569.patch \ |
| 33 | file://CVE-2023-40589.patch \ | 33 | file://CVE-2023-40589.patch \ |
| 34 | file://CVE-2024-22211.patch \ | 34 | file://CVE-2024-22211.patch \ |
| 35 | file://CVE-2024-32039.patch \ | ||
| 35 | " | 36 | " |
| 36 | 37 | ||
| 37 | S = "${WORKDIR}/git" | 38 | S = "${WORKDIR}/git" |
