meta-openembedded/meta-oe/recipes-support/freerdp/freerdp/CVE-2022-39316.patch - openbmc/openbmc - Gitiles

 https://github.com/FreeRDP/FreeRDP/commit/e865c24efc40ebc52e75979c94cdd4ee2c1495b0
 CVE: CVE-2022-39316
 Upstream-Status: Backport
 Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>

 From e865c24efc40ebc52e75979c94cdd4ee2c1495b0 Mon Sep 17 00:00:00 2001
 From: akallabeth <akallabeth@posteo.net>
 Date: Thu, 13 Oct 2022 09:09:28 +0200
 Subject: [PATCH] Added missing length checks in zgfx_decompress_segment

 (cherry picked from commit 64716b335858109d14f27b51acc4c4d71a92a816)
 ---
  libfreerdp/codec/zgfx.c | 11 +++++++----
  1 file changed, 7 insertions(+), 4 deletions(-)

 diff --git a/libfreerdp/codec/zgfx.c b/libfreerdp/codec/zgfx.c
 index 20fbd354571..e260aa6e28a 100644
 --- a/libfreerdp/codec/zgfx.c
 +++ b/libfreerdp/codec/zgfx.c
 @@ -230,19 +230,19 @@ static BOOL zgfx_decompress_segment(ZGFX_CONTEXT* zgfx, wStream* stream, size_t
  	BYTE* pbSegment;
  	size_t cbSegment;

 -	if (!zgfx || !stream)
 +	if (!zgfx || !stream || (segmentSize < 2))
  		return FALSE;

  	cbSegment = segmentSize - 1;

 -	if ((Stream_GetRemainingLength(stream) < segmentSize) || (segmentSize < 1) ||
 -	    (segmentSize > UINT32_MAX))
 +	if ((Stream_GetRemainingLength(stream) < segmentSize) || (segmentSize > UINT32_MAX))
  		return FALSE;

  	Stream_Read_UINT8(stream, flags); /* header (1 byte) */
  	zgfx->OutputCount = 0;
  	pbSegment = Stream_Pointer(stream);
 -	Stream_Seek(stream, cbSegment);
 +	if (!Stream_SafeSeek(stream, cbSegment))
 +		return FALSE;

  	if (!(flags & PACKET_COMPRESSED))
  	{
 @@ -346,6 +346,9 @@ static BOOL zgfx_decompress_segment(ZGFX_CONTEXT* zgfx, wStream* stream, size_t
  						if (count > sizeof(zgfx->OutputBuffer) - zgfx->OutputCount)
  							return FALSE;

 +						if (count > zgfx->cBitsRemaining / 8)
 +							return FALSE;
 +
  						CopyMemory(&(zgfx->OutputBuffer[zgfx->OutputCount]), zgfx->pbInputCurrent,
  						           count);
  						zgfx_history_buffer_ring_write(zgfx, zgfx->pbInputCurrent, count);
	https://github.com/FreeRDP/FreeRDP/commit/e865c24efc40ebc52e75979c94cdd4ee2c1495b0
	CVE: CVE-2022-39316
	Upstream-Status: Backport
	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>

	From e865c24efc40ebc52e75979c94cdd4ee2c1495b0 Mon Sep 17 00:00:00 2001
	From: akallabeth <akallabeth@posteo.net>
	Date: Thu, 13 Oct 2022 09:09:28 +0200
	Subject: [PATCH] Added missing length checks in zgfx_decompress_segment

	(cherry picked from commit 64716b335858109d14f27b51acc4c4d71a92a816)
	---
	libfreerdp/codec/zgfx.c \| 11 +++++++----
	1 file changed, 7 insertions(+), 4 deletions(-)

	diff --git a/libfreerdp/codec/zgfx.c b/libfreerdp/codec/zgfx.c
	index 20fbd354571..e260aa6e28a 100644
	--- a/libfreerdp/codec/zgfx.c
	+++ b/libfreerdp/codec/zgfx.c
	@@ -230,19 +230,19 @@ static BOOL zgfx_decompress_segment(ZGFX_CONTEXT* zgfx, wStream* stream, size_t
	BYTE* pbSegment;
	size_t cbSegment;

	- if (!zgfx \|\| !stream)
	+ if (!zgfx \|\| !stream \|\| (segmentSize < 2))
	return FALSE;

	cbSegment = segmentSize - 1;

	- if ((Stream_GetRemainingLength(stream) < segmentSize) \|\| (segmentSize < 1) \|\|
	- (segmentSize > UINT32_MAX))
	+ if ((Stream_GetRemainingLength(stream) < segmentSize) \|\| (segmentSize > UINT32_MAX))
	return FALSE;

	Stream_Read_UINT8(stream, flags); /* header (1 byte) */
	zgfx->OutputCount = 0;
	pbSegment = Stream_Pointer(stream);
	- Stream_Seek(stream, cbSegment);
	+ if (!Stream_SafeSeek(stream, cbSegment))
	+ return FALSE;

	if (!(flags & PACKET_COMPRESSED))
	{
	@@ -346,6 +346,9 @@ static BOOL zgfx_decompress_segment(ZGFX_CONTEXT* zgfx, wStream* stream, size_t
	if (count > sizeof(zgfx->OutputBuffer) - zgfx->OutputCount)
	return FALSE;

	+ if (count > zgfx->cBitsRemaining / 8)
	+ return FALSE;
	+
	CopyMemory(&(zgfx->OutputBuffer[zgfx->OutputCount]), zgfx->pbInputCurrent,
	count);
	zgfx_history_buffer_ring_write(zgfx, zgfx->pbInputCurrent, count);