From ab18f07873b6f502217712d8029a30ca152f4c32 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Tue, 26 May 2020 16:12:58 +0200
Subject: [PATCH] Fixed TrioParse and trio_length limts.

CVE-2020-4030 thanks to @antonio-morales for finding this.

(cherry picked from commit 05cd9ea2290d23931f615c1b004d4b2e69074e27)
---
 winpr/libwinpr/utils/trio/trio.c    | 6 +++---
 winpr/libwinpr/utils/trio/triostr.c | 3 ++-
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/winpr/libwinpr/utils/trio/trio.c b/winpr/libwinpr/utils/trio/trio.c
index ec765ce..b278f47 100644
--- a/winpr/libwinpr/utils/trio/trio.c
+++ b/winpr/libwinpr/utils/trio/trio.c
@@ -2729,7 +2729,7 @@ TRIO_PRIVATE void TrioWriteString TRIO_ARGS5((self, string, flags, width, precis
                                              trio_class_t* self, TRIO_CONST char* string,
                                              trio_flags_t flags, int width, int precision)
 {
-	int length;
+	int length = 0;
 	int ch;
 
 	assert(VALID(self));
@@ -2747,7 +2747,7 @@ TRIO_PRIVATE void TrioWriteString TRIO_ARGS5((self, string, flags, width, precis
 	}
 	else
 	{
-		if (precision == 0)
+		if (precision <= 0)
 		{
 			length = trio_length(string);
 		}
@@ -4754,7 +4754,7 @@ TRIO_PUBLIC trio_pointer_t trio_register TRIO_ARGS2((callback, name), trio_callb
 		}
 
 		/* Bail out if namespace is too long */
-		if (trio_length(name) >= MAX_USER_NAME)
+		if (trio_length_max(name, MAX_USER_NAME) >= MAX_USER_NAME)
 			return NULL;
 
 		/* Bail out if namespace already is registered */
diff --git a/winpr/libwinpr/utils/trio/triostr.c b/winpr/libwinpr/utils/trio/triostr.c
index da12775..6832ad5 100644
--- a/winpr/libwinpr/utils/trio/triostr.c
+++ b/winpr/libwinpr/utils/trio/triostr.c
@@ -25,6 +25,7 @@
 #include <assert.h>
 #include <stdlib.h>
 #include <string.h>
+#include <limits.h>
 #include <ctype.h>
 #include "triodef.h"
 #include "triostr.h"
@@ -328,7 +329,7 @@ TRIO_PUBLIC_STRING void trio_destroy TRIO_ARGS1((string), char* string)
 
 TRIO_PUBLIC_STRING size_t trio_length TRIO_ARGS1((string), TRIO_CONST char* string)
 {
-	return strlen(string);
+	return trio_length_max(string, INT_MAX);
 }
 
 #endif
-- 
2.7.4