From 9c2cb890eb2eb6845671ece008a098b20bf0db4e Mon Sep 17 00:00:00 2001
From: Tobias Frost <tobi@debian.org>
Date: Sun, 12 Nov 2023 12:52:03 +0100
Subject: [PATCH] Import fix for CVE-2022-39283 - closes also #1021659

---
 debian/changelog                         |  4 +--
 debian/patches/0058-CVE-2022-39282.patch |  4 +++
 debian/patches/0059-CVE-2022-39283.patch | 39 ++++++++++++++++++++++++
 debian/patches/series                    |  1 +
 4 files changed, 46 insertions(+), 2 deletions(-)
 create mode 100644 debian/patches/0059-CVE-2022-39283.patch

diff --git a/debian/changelog b/debian/changelog
index 1bcaaa7..ccbe473 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -11,11 +11,11 @@ freerdp2 (2.3.0+dfsg1-2+deb10u4) buster-security; urgency=medium
     - CVE-2022-39319 - Missing length validation in urbdrc channel
     - CVE-2022-39347 - Missing path sanitation with `drive` channel
     - CVE-2022-41877 - Missing input length validation in `drive` channel
-  * Import fix for CVE-2022-39282 (Closes: #1021659)
+  * Import fix for CVE-2022-39282 and CVE-2023-39283 (Closes: #1021659)
   * Previous upload had a typo in the CVE list: It was CVE 2023-40567 not
     CVE 2023-39357; fixing changelog entry.
 
- -- Tobias Frost <tobi@debian.org>  Sun, 12 Nov 2023 12:24:20 +0100
+ -- Tobias Frost <tobi@debian.org>  Sun, 12 Nov 2023 13:08:01 +0100
 
 freerdp2 (2.3.0+dfsg1-2+deb10u3) buster-security; urgency=medium
 
diff --git a/debian/patches/0058-CVE-2022-39282.patch b/debian/patches/0058-CVE-2022-39282.patch
index 75acd76..2403256 100644
--- a/debian/patches/0058-CVE-2022-39282.patch
+++ b/debian/patches/0058-CVE-2022-39282.patch
@@ -1,3 +1,7 @@
+Description: CVE-2022-39282 - RDP client: Read of uninitialized memory with parallel port redirection
+Origin: https://github.com/FreeRDP/FreeRDP/commit/60aac2abf0740dd36b62712fba91498fd6e055fe
+Bug: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c45q-wcpg-mxjq
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021659
 From 60aac2abf0740dd36b62712fba91498fd6e055fe Mon Sep 17 00:00:00 2001
 From: akallabeth <akallabeth@posteo.net>
 Date: Thu, 6 Oct 2022 09:12:40 +0200
diff --git a/debian/patches/0059-CVE-2022-39283.patch b/debian/patches/0059-CVE-2022-39283.patch
new file mode 100644
index 0000000..a236fa5
--- /dev/null
+++ b/debian/patches/0059-CVE-2022-39283.patch
@@ -0,0 +1,39 @@
+Description: CVE-2022-39283 - RDP client might read out of bounds data and display it 
+Origin: https://github.com/FreeRDP/FreeRDP/commit/be793c3bb776c1bbda9156b427408d5a5eb00f70
+Bug: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-6cf9-3328-qrvh
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021659
+From be793c3bb776c1bbda9156b427408d5a5eb00f70 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Thu, 6 Oct 2022 09:15:40 +0200
+Subject: [PATCH] Fixed missing length check in video channel
+
+Data received in video redirection channel was not checked for
+proper length.
+
+(cherry picked from commit eeffd1050e9284d1464b58e049b2b4d88726632b)
+---
+ channels/video/client/video_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/channels/video/client/video_main.c
++++ b/channels/video/client/video_main.c
+@@ -46,6 +46,10 @@
+ 
+ #include "video_main.h"
+ 
++#define Stream_CheckAndLogRequiredLength(tag, s, len)                                             \
++	Stream_CheckAndLogRequiredLengthWLogEx(WLog_Get(tag), WLOG_WARN, s, len, "%s(%s:%" PRIuz ")", __FUNCTION__, \
++	                                   __FILE__, __LINE__)
++
+ struct _VIDEO_CHANNEL_CALLBACK
+ {
+ 	IWTSVirtualChannelCallback iface;
+@@ -930,6 +934,8 @@
+ 	Stream_Read_UINT16(s, data.PacketsInSample);
+ 	Stream_Read_UINT32(s, data.SampleNumber);
+ 	Stream_Read_UINT32(s, data.cbSample);
++	if (!Stream_CheckAndLogRequiredLength(TAG, s, data.cbSample))
++		return ERROR_INVALID_DATA;
+ 	data.pSample = Stream_Pointer(s);
+ 
+ 	/*
diff --git a/debian/patches/series b/debian/patches/series
index ba51548..a749dae 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -47,3 +47,4 @@
 0056-CVE-2022-39347.patch
 0057-CVE-2022-41877.patch
 0058-CVE-2022-39282.patch
+0059-CVE-2022-39283.patch