From 0333c99067738b37ec11af7cf54aec74a535cb1e Mon Sep 17 00:00:00 2001
From: Tobias Frost <tobi@debian.org>
Date: Tue, 3 Oct 2023 09:35:54 +0200
Subject: [PATCH] Enable Salsa CI

---
 debian/.gitlab-ci.yml                   |  8 +++++
 debian/changelog                        |  3 ++
 debian/patches/0036-CVE-2023-3950.patch | 48 +++++++++++++++++++++++++
 debian/patches/series                   |  1 +
 4 files changed, 60 insertions(+)
 create mode 100644 debian/.gitlab-ci.yml
 create mode 100644 debian/patches/0036-CVE-2023-3950.patch

diff --git a/debian/.gitlab-ci.yml b/debian/.gitlab-ci.yml
new file mode 100644
index 0000000..eff1842
--- /dev/null
+++ b/debian/.gitlab-ci.yml
@@ -0,0 +1,8 @@
+include:
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+
+variables:
+  RELEASE: 'buster'
+  SALSA_CI_COMPONENTS: 'main contrib non-free'
+  SALSA_CI_DISABLE_REPROTEST: 1
+  SALSA_CI_DISABLE_LINTIAN: 1
diff --git a/debian/changelog b/debian/changelog
index f1b1404..bf1d5ee 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -13,6 +13,9 @@ freerdp2 (2.3.0+dfsg1-2~deb10u3) UNRELEASED; urgency=medium
      CVE-2020-11097 CVE-2020-11098 CVE-2020-11099 CVE-2020-13396
      CVE-2020-13397 CVE-2020-13398 and
      CVE-2020-15103 (Closes: #965979)
+  * Backporting remaining issues: (Closes: #1051638)
+    CVE-2023-3950
+   
 
  -- Tobias Frost <tobi@debian.org>  Mon, 02 Oct 2023 17:10:48 +0200
 
diff --git a/debian/patches/0036-CVE-2023-3950.patch b/debian/patches/0036-CVE-2023-3950.patch
new file mode 100644
index 0000000..d87ccbd
--- /dev/null
+++ b/debian/patches/0036-CVE-2023-3950.patch
@@ -0,0 +1,48 @@
+Description: Upstream fix for CVE-2023-39350 - Incorrect offset calculation leading to DOS 
+Origin: https://github.com/FreeRDP/FreeRDP/commit/e204fc8be5a372626b13f66daf2abafe71dbc2dc
+Bug: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rrrv-3w42-pffh
+Bug-Vendor: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051638
+From e204fc8be5a372626b13f66daf2abafe71dbc2dc Mon Sep 17 00:00:00 2001
+From: Armin Novak <anovak@thincast.com>
+Date: Sat, 5 Aug 2023 08:57:28 +0200
+Subject: [PATCH] [coded,rfx] check indices are within range
+
+reported by @pwn2carr
+---
+ libfreerdp/codec/rfx.c | 25 +++++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+--- a/libfreerdp/codec/rfx.c
++++ b/libfreerdp/codec/rfx.c
+@@ -936,6 +936,31 @@
+ 		Stream_Read_UINT8(&sub, tile->quantIdxY);  /* quantIdxY (1 byte) */
+ 		Stream_Read_UINT8(&sub, tile->quantIdxCb); /* quantIdxCb (1 byte) */
+ 		Stream_Read_UINT8(&sub, tile->quantIdxCr); /* quantIdxCr (1 byte) */
++		if (tile->quantIdxY >= context->numQuant)
++		{
++			WLog_Print(context->priv->log, WLOG_ERROR,
++			           "quantIdxY %" PRIu8 " >= numQuant %" PRIu8, tile->quantIdxY,
++			           context->numQuant);
++			rc = FALSE;
++			break;
++		}
++		if (tile->quantIdxCb >= context->numQuant)
++		{
++			WLog_Print(context->priv->log, WLOG_ERROR,
++			           "quantIdxCb %" PRIu8 " >= numQuant %" PRIu8, tile->quantIdxCb,
++			           context->numQuant);
++			rc = FALSE;
++			break;
++		}
++		if (tile->quantIdxCr >= context->numQuant)
++		{
++			WLog_Print(context->priv->log, WLOG_ERROR,
++			           "quantIdxCr %" PRIu8 " >= numQuant %" PRIu8, tile->quantIdxCr,
++			           context->numQuant);
++			rc = FALSE;
++			break;
++		}
++
+ 		Stream_Read_UINT16(&sub, tile->xIdx);      /* xIdx (2 bytes) */
+ 		Stream_Read_UINT16(&sub, tile->yIdx);      /* yIdx (2 bytes) */
+ 		Stream_Read_UINT16(&sub, tile->YLen);      /* YLen (2 bytes) */
diff --git a/debian/patches/series b/debian/patches/series
index 3b76fa4..105cb71 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -23,3 +23,4 @@
 0034-Fixed-6938-Remote-app-mode-clipboard-fix.patch
 0035-Fixed-6989-Use-X509_STORE_set_default_paths.patch
 1001_keep-symbol-DumpThreadHandles-if-debugging-is-disabled.patch
+0036-CVE-2023-3950.patch