From d5609e5467ce8b18ba643db9f33c0d5e213f2dfd Mon Sep 17 00:00:00 2001 From: akallabeth Date: Mon, 25 May 2020 09:37:48 +0200 Subject: [PATCH] Fixed OOB Read in license_read_new_or_upgrade_license_packet CVE-2020-11099 thanks to @antonio-morales for finding this. (cherry picked from commit 6ade7b4cbfd71c54b3d724e8f2d6ac76a58e879a) --- libfreerdp/core/license.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libfreerdp/core/license.c b/libfreerdp/core/license.c index 18bcb9f..097107b 100644 --- a/libfreerdp/core/license.c +++ b/libfreerdp/core/license.c @@ -1252,6 +1252,9 @@ BOOL license_read_new_or_upgrade_license_packet(rdpLicense* license, wStream* s) if (!licenseStream) goto out_free_blob; + if (Stream_GetRemainingLength(licenseStream) < 8) + goto out_free_stream; + Stream_Read_UINT16(licenseStream, os_minor); Stream_Read_UINT16(licenseStream, os_major); @@ -1266,6 +1269,8 @@ BOOL license_read_new_or_upgrade_license_packet(rdpLicense* license, wStream* s) Stream_Seek(licenseStream, cbScope); /* CompanyName */ + if (Stream_GetRemainingLength(licenseStream) < 4) + goto out_free_stream; Stream_Read_UINT32(licenseStream, cbCompanyName); if (Stream_GetRemainingLength(licenseStream) < cbCompanyName) goto out_free_stream; @@ -1276,6 +1281,8 @@ BOOL license_read_new_or_upgrade_license_packet(rdpLicense* license, wStream* s) Stream_Seek(licenseStream, cbCompanyName); /* productId */ + if (Stream_GetRemainingLength(licenseStream) < 4) + goto out_free_stream; Stream_Read_UINT32(licenseStream, cbProductId); if (Stream_GetRemainingLength(licenseStream) < cbProductId) goto out_free_stream; @@ -1286,6 +1293,8 @@ BOOL license_read_new_or_upgrade_license_packet(rdpLicense* license, wStream* s) Stream_Seek(licenseStream, cbProductId); /* licenseInfo */ + if (Stream_GetRemainingLength(licenseStream) < 4) + goto out_free_stream; Stream_Read_UINT32(licenseStream, cbLicenseInfo); if (Stream_GetRemainingLength(licenseStream) < cbLicenseInfo) goto out_free_stream; -- 2.7.4