projects / platform / upstream / freerdp.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c3c02c8)
Fixed OOB Read in license_read_new_or_upgrade_license_packet
authorakallabeth <akallabeth@posteo.net>
Mon, 25 May 2020 07:37:48 +0000 (09:37 +0200)
committerArmin Novak <armin.novak@thincast.com>
Mon, 22 Jun 2020 10:11:35 +0000 (12:11 +0200)
CVE-2020-11099 thanks to @antonio-morales for finding this.

(cherry picked from commit 6ade7b4cbfd71c54b3d724e8f2d6ac76a58e879a)

libfreerdp/core/license.c patch | blob | history

diff --git a/libfreerdp/core/license.c b/libfreerdp/core/license.c
index 18bcb9f..097107b 100644 (file)
--- a/libfreerdp/core/license.c
+++ b/libfreerdp/core/license.c
@@ -1252,6 +1252,9 @@ BOOL license_read_new_or_upgrade_license_packet(rdpLicense* license, wStream* s)
        if (!licenseStream)
                goto out_free_blob;
 
+       if (Stream_GetRemainingLength(licenseStream) < 8)
+               goto out_free_stream;
+
        Stream_Read_UINT16(licenseStream, os_minor);
        Stream_Read_UINT16(licenseStream, os_major);
 
@@ -1266,6 +1269,8 @@ BOOL license_read_new_or_upgrade_license_packet(rdpLicense* license, wStream* s)
        Stream_Seek(licenseStream, cbScope);
 
        /* CompanyName */
+       if (Stream_GetRemainingLength(licenseStream) < 4)
+               goto out_free_stream;
        Stream_Read_UINT32(licenseStream, cbCompanyName);
        if (Stream_GetRemainingLength(licenseStream) < cbCompanyName)
                goto out_free_stream;
@@ -1276,6 +1281,8 @@ BOOL license_read_new_or_upgrade_license_packet(rdpLicense* license, wStream* s)
        Stream_Seek(licenseStream, cbCompanyName);
 
        /* productId */
+       if (Stream_GetRemainingLength(licenseStream) < 4)
+               goto out_free_stream;
        Stream_Read_UINT32(licenseStream, cbProductId);
        if (Stream_GetRemainingLength(licenseStream) < cbProductId)
                goto out_free_stream;
@@ -1286,6 +1293,8 @@ BOOL license_read_new_or_upgrade_license_packet(rdpLicense* license, wStream* s)
        Stream_Seek(licenseStream, cbProductId);
 
        /* licenseInfo */
+       if (Stream_GetRemainingLength(licenseStream) < 4)
+               goto out_free_stream;
        Stream_Read_UINT32(licenseStream, cbLicenseInfo);
        if (Stream_GetRemainingLength(licenseStream) < cbLicenseInfo)
                goto out_free_stream;
Domain: Graphics System / Display Server;