Import fix for CVE-2022-39316 - Out of bound read in zgfx decoder

2023-10-29 10:12:55 +01:00 · 2023-10-29 10:12:55 +01:00 · 56d1291988
commit 56d1291988
parent 3f665697f0
3 changed files with 53 additions and 0 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -9,6 +9,8 @@ freerdp2 (2.3.0+dfsg1-2+deb10u4) UNRELEASED; urgency=medium
    parameters.
  * Import fix for CVE-2022-24883 - FreeRDP Server authentication might allow
    invalid credentials to pass.
+  * Import fix for (see #1024511)
+    - CVE-2022-39316 - Out of bound read in zgfx decoder and

 -- Tobias Frost <tobi@debian.org>  Sat, 28 Oct 2023 18:12:57 +0200

--- a/debian/patches/0053-CVE-2022-39316.patch
+++ b/debian/patches/0053-CVE-2022-39316.patch
@ -0,0 +1,50 @@
+Description: CVE-2022-39316 - Out of bound read in zgfx decoder 
+Origin: https://github.com/FreeRDP/FreeRDP/commit/e865c24efc40ebc52e75979c94cdd4ee2c1495b0.patch
+Bug: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5w4j-mrrh-jjrm
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024511
+From e865c24efc40ebc52e75979c94cdd4ee2c1495b0 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Thu, 13 Oct 2022 09:09:28 +0200
+Subject: [PATCH] Added missing length checks in zgfx_decompress_segment
+
+(cherry picked from commit 64716b335858109d14f27b51acc4c4d71a92a816)
+---
+ libfreerdp/codec/zgfx.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/libfreerdp/codec/zgfx.c
+++ b/libfreerdp/codec/zgfx.c
+@@ -230,19 +230,19 @@
+ 	BYTE* pbSegment;
+ 	size_t cbSegment;
+ 
+-	if (!zgfx || !stream)
+	if (!zgfx || !stream || (segmentSize < 2))
+ 		return FALSE;
+ 
+ 	cbSegment = segmentSize - 1;
+ 
+-	if ((Stream_GetRemainingLength(stream) < segmentSize) || (segmentSize < 1) ||
+-	    (segmentSize > UINT32_MAX))
+	if ((Stream_GetRemainingLength(stream) < segmentSize) || (segmentSize > UINT32_MAX))
+ 		return FALSE;
+ 
+ 	Stream_Read_UINT8(stream, flags); /* header (1 byte) */
+ 	zgfx->OutputCount = 0;
+ 	pbSegment = Stream_Pointer(stream);
+-	Stream_Seek(stream, cbSegment);
+	if (!Stream_SafeSeek(stream, cbSegment))
+		return FALSE;
+ 
+ 	if (!(flags & PACKET_COMPRESSED))
+ 	{
+@@ -350,6 +350,9 @@
+ 						if (count > sizeof(zgfx->OutputBuffer) - zgfx->OutputCount)
+ 							return FALSE;
+ 
+						if (count > zgfx->cBitsRemaining / 8)
+							return FALSE;
+
+ 						CopyMemory(&(zgfx->OutputBuffer[zgfx->OutputCount]), zgfx->pbInputCurrent,
+ 						           count);
+ 						zgfx_history_buffer_ring_write(zgfx, zgfx->pbInputCurrent, count);
--- a/debian/patches/series
+++ b/debian/patches/series
@ -42,3 +42,4 @@
 0050-CVE-2021-41160.patch
 0051-CVE-2022-24882.patch
 0052-CVE-2022-24883.patch
+0053-CVE-2022-39316.patch