pxcloud/freerdp2
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CVE-2023-40186

Browse Source
This commit is contained in:
Tobias Frost 2023-10-07 13:11:23 +02:00
parent 0f3fd7d339
commit f6f2bf7896
3 changed files with 395 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
debian/changelog vendored
View File

@ -16,7 +16,7 @@ freerdp2 (2.3.0+dfsg1-2~deb10u3) UNRELEASED; urgency=medium
* Backporting/Importing upstream patches for (Closes: #1051638):
CVE-2023-39350 CVE-2023-39351 CVE-2023-39352 CVE-2023-39353
CVE-2023-39354 CVE-2023-39355 CVE-2023-39356 CVE-2023-39357
CVE-2023-40181
CVE-2023-40181 CVE-2023-40186
-- Tobias Frost <tobi@debian.org> Mon, 02 Oct 2023 17:10:48 +0200

393
debian/patches/0046-CVE-2023-40186.patch vendored Normal file
View File

@ -0,0 +1,393 @@
Description: Upstream fix for CVE-2023-40186 - IntegerOverflow leading to Out-Of-Bound Write Vulnerability in gdi_CreateSurface
Origin: https://github.com/FreeRDP/FreeRDP/commit/d8a1ac342ae375644c70579c33b5cf38fb43b083
Bug: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hcj4-3c3r-5j3v
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051638
From d8a1ac342ae375644c70579c33b5cf38fb43b083 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Tue, 22 Aug 2023 09:41:28 +0200
Subject: [PATCH] [warnings] fix integer multiplications
Ensure the integer width for size arguments is 64bit in a
multiplication. Leading 64bit constant 1ull expands width, a trailing
one is ignored.
(cherry picked from commit b3f0ab2814e39e0f779343c53699e7dc6c1b1c22)
---
channels/rdpsnd/server/rdpsnd_main.c | 2 +-
client/X11/xf_gdi.c | 2 +-
client/X11/xf_gfx.c | 4 ++--
client/X11/xf_graphics.c | 4 ++--
client/X11/xf_rail.c | 4 ++--
libfreerdp/codec/clear.c | 4 ++--
libfreerdp/codec/color.c | 6 +++---
libfreerdp/codec/h264.c | 6 +++---
libfreerdp/codec/progressive.c | 2 +-
libfreerdp/gdi/bitmap.c | 2 +-
libfreerdp/gdi/gdi.c | 2 +-
libfreerdp/gdi/gfx.c | 4 ++--
libfreerdp/gdi/graphics.c | 2 +-
libfreerdp/gdi/shape.c | 2 +-
libfreerdp/gdi/video.c | 2 +-
libfreerdp/primitives/prim_copy.c | 4 ++--
libfreerdp/primitives/primitives.c | 2 +-
uwac/libuwac/uwac-window.c | 8 ++++----
winpr/libwinpr/utils/lodepng/lodepng.c | 14 +++++++-------
19 files changed, 38 insertions(+), 38 deletions(-)
--- a/channels/rdpsnd/server/rdpsnd_main.c
+++ b/channels/rdpsnd/server/rdpsnd_main.c
@@ -422,7 +422,7 @@
Stream_Seek(s, 3); /* bPad */
start = Stream_GetPosition(s);
src = context->priv->out_buffer;
- length = context->priv->out_pending_frames * context->priv->src_bytes_per_frame * 1ULL;
+ length = 1ull * context->priv->out_pending_frames * context->priv->src_bytes_per_frame;
if (!freerdp_dsp_encode(context->priv->dsp_context, context->src_format, src, length, s))
return ERROR_INTERNAL_ERROR;
--- a/client/X11/xf_gdi.c
+++ b/client/X11/xf_gdi.c
@@ -1066,7 +1066,7 @@
case RDP_CODEC_ID_NONE:
pSrcData = cmd->bmp.bitmapData;
format = gdi_get_pixel_format(cmd->bmp.bpp);
- size = cmd->bmp.width * cmd->bmp.height * GetBytesPerPixel(format) * 1ULL;
+ size = 1ull * cmd->bmp.width * cmd->bmp.height * GetBytesPerPixel(format);
if (size > cmd->bmp.bitmapDataLength)
{
WLog_ERR(TAG, "Short nocodec message: got %" PRIu32 " bytes, require %" PRIuz,
--- a/client/X11/xf_gfx.c
+++ b/client/X11/xf_gfx.c
@@ -288,7 +288,7 @@
surface->gdi.scanline = surface->gdi.width * GetBytesPerPixel(surface->gdi.format);
surface->gdi.scanline = x11_pad_scanline(surface->gdi.scanline, xfc->scanline_pad);
- size = surface->gdi.scanline * surface->gdi.height * 1ULL;
+ size = 1ull * surface->gdi.scanline * surface->gdi.height;
surface->gdi.data = (BYTE*)_aligned_malloc(size, 16);
if (!surface->gdi.data)
@@ -312,7 +312,7 @@
UINT32 bytes = GetBytesPerPixel(gdi->dstFormat);
surface->stageScanline = width * bytes;
surface->stageScanline = x11_pad_scanline(surface->stageScanline, xfc->scanline_pad);
- size = surface->stageScanline * surface->gdi.height * 1ULL;
+ size = 1ull * surface->stageScanline * surface->gdi.height;
surface->stage = (BYTE*)_aligned_malloc(size, 16);
if (!surface->stage)
--- a/client/X11/xf_graphics.c
+++ b/client/X11/xf_graphics.c
@@ -304,7 +304,7 @@
ci.height = yTargetSize;
ci.xhot = pointer->xPos * xscale;
ci.yhot = pointer->yPos * yscale;
- size = ci.height * ci.width * GetBytesPerPixel(CursorFormat) * 1ULL;
+ size = 1ull * ci.height * ci.width * GetBytesPerPixel(CursorFormat);
if (xscale != 1 || yscale != 1)
{
@@ -391,7 +391,7 @@
xpointer->nCursors = 0;
xpointer->mCursors = 0;
- size = pointer->height * pointer->width * GetBytesPerPixel(CursorFormat) * 1ULL;
+ size = 1ull * pointer->height * pointer->width * GetBytesPerPixel(CursorFormat);
if (!(xpointer->cursorPixels = (XcursorPixel*)_aligned_malloc(size, 16)))
return FALSE;
--- a/client/X11/xf_rail.c
+++ b/client/X11/xf_rail.c
@@ -532,7 +532,7 @@
cache->numCaches = settings->RemoteAppNumIconCaches;
cache->numCacheEntries = settings->RemoteAppNumIconCacheEntries;
- cache->entries = calloc(cache->numCaches * cache->numCacheEntries * 1ULL, sizeof(xfRailIcon));
+ cache->entries = calloc(1ull * cache->numCaches * cache->numCacheEntries, sizeof(xfRailIcon));
if (!cache->entries)
{
@@ -602,7 +602,7 @@
long* pixels;
int i;
int nelements;
- argbPixels = calloc(iconInfo->width * iconInfo->height * 1ULL, 4);
+ argbPixels = calloc(1ull * iconInfo->width * iconInfo->height, 4);
if (!argbPixels)
goto error;
--- a/libfreerdp/codec/clear.c
+++ b/libfreerdp/codec/clear.c
@@ -566,7 +566,7 @@
const UINT32 diffSize = (vBarEntry->count - vBarEntry->size) * bpp;
BYTE* tmp;
vBarEntry->size = vBarEntry->count;
- tmp = (BYTE*)realloc(vBarEntry->pixels, vBarEntry->count * bpp * 1ULL);
+ tmp = (BYTE*)realloc(vBarEntry->pixels, 1ull * vBarEntry->count * bpp);
if (!tmp)
{
@@ -977,7 +977,7 @@
if (glyphEntry->count > glyphEntry->size)
{
BYTE* tmp;
- tmp = realloc(glyphEntry->pixels, glyphEntry->count * bpp * 1ULL);
+ tmp = realloc(glyphEntry->pixels, 1ull * glyphEntry->count * bpp);
if (!tmp)
{
--- a/libfreerdp/codec/color.c
+++ b/libfreerdp/codec/color.c
@@ -56,7 +56,7 @@
* means of accessing individual pixels in blitting operations
*/
scanline = (width + 7) / 8;
- dstData = (BYTE*)_aligned_malloc(width * height * 1ULL, 16);
+ dstData = (BYTE*)_aligned_malloc(1ull * width * height, 16);
if (!dstData)
return NULL;
@@ -545,7 +545,7 @@
for (y = nYDst; y < nHeight; y++)
{
BYTE* pDstLine = &pDstData[y * nDstStep + nXDst * dstBytesPerPixel];
- memset(pDstLine, 0, dstBytesPerPixel * (nWidth - nXDst) * 1ULL);
+ memset(pDstLine, 0, 1ull * dstBytesPerPixel * (nWidth - nXDst));
}
switch (xorBpp)
@@ -742,7 +742,7 @@
for (y = 1; y < nHeight; y++)
{
BYTE* pDstLine = &pDstData[(y + nYDst) * nDstStep + nXDst * bpp];
- memcpy(pDstLine, pFirstDstLineXOffset, nWidth * bpp * 1ULL);
+ memcpy(pDstLine, pFirstDstLineXOffset, 1ull * nWidth * bpp);
}
return TRUE;
--- a/libfreerdp/codec/h264.c
+++ b/libfreerdp/codec/h264.c
@@ -63,9 +63,9 @@
_aligned_free(h264->pYUVData[0]);
_aligned_free(h264->pYUVData[1]);
_aligned_free(h264->pYUVData[2]);
- h264->pYUVData[0] = _aligned_malloc(h264->iStride[0] * height * 1ULL, 16);
- h264->pYUVData[1] = _aligned_malloc(h264->iStride[1] * height * 1ULL, 16);
- h264->pYUVData[2] = _aligned_malloc(h264->iStride[2] * height * 1ULL, 16);
+ h264->pYUVData[0] = _aligned_malloc(1ull * h264->iStride[0] * height, 16);
+ h264->pYUVData[1] = _aligned_malloc(1ull * h264->iStride[1] * height, 16);
+ h264->pYUVData[2] = _aligned_malloc(1ull * h264->iStride[2] * height, 16);
if (!h264->pYUVData[0] || !h264->pYUVData[1] || !h264->pYUVData[2])
return FALSE;
--- a/libfreerdp/codec/progressive.c
+++ b/libfreerdp/codec/progressive.c
@@ -411,7 +411,7 @@
tile->stride = 4 * tile->width;
{
- size_t dataLen = tile->stride * tile->height * 1ULL;
+ size_t dataLen = 1ull * tile->stride * tile->height;
tile->data = (BYTE*)_aligned_malloc(dataLen, 16);
}
--- a/libfreerdp/gdi/bitmap.c
+++ b/libfreerdp/gdi/bitmap.c
@@ -148,7 +148,7 @@
hBitmap->width = nWidth;
hBitmap->height = nHeight;
hBitmap->data =
- _aligned_malloc(nWidth * nHeight * GetBytesPerPixel(hBitmap->format) * 1ULL, 16);
+ _aligned_malloc(1ull * nWidth * nHeight * GetBytesPerPixel(hBitmap->format), 16);
hBitmap->free = _aligned_free;
if (!hBitmap->data)
--- a/libfreerdp/gdi/gdi.c
+++ b/libfreerdp/gdi/gdi.c
@@ -1057,7 +1057,7 @@
case RDP_CODEC_ID_NONE:
format = gdi_get_pixel_format(cmd->bmp.bpp);
- size = cmd->bmp.width * cmd->bmp.height * GetBytesPerPixel(format) * 1ULL;
+ size = 1ull * cmd->bmp.width * cmd->bmp.height * GetBytesPerPixel(format);
if (size > cmd->bmp.bitmapDataLength)
{
WLog_ERR(TAG, "Short nocodec message: got %" PRIu32 " bytes, require %" PRIuz,
--- a/libfreerdp/gdi/gfx.c
+++ b/libfreerdp/gdi/gfx.c
@@ -730,7 +730,7 @@
{
UINT32 x, y;
- if (Stream_GetRemainingLength(&s) < cmd->height * cmd->width * 1ULL)
+ if (Stream_GetRemainingLength(&s) < 1ull * cmd->height * cmd->width)
return ERROR_INVALID_DATA;
for (y = cmd->top; y < cmd->top + cmd->height; y++)
@@ -1029,7 +1029,7 @@
}
surface->scanline = gfx_align_scanline(surface->width * 4UL, 16);
- surface->data = (BYTE*)_aligned_malloc(surface->scanline * surface->height * 1ULL, 16);
+ surface->data = (BYTE*)_aligned_malloc(1ull * surface->scanline * surface->height, 16);
if (!surface->data)
{
--- a/libfreerdp/gdi/graphics.c
+++ b/libfreerdp/gdi/graphics.c
@@ -52,7 +52,7 @@
return NULL;
nDstStep = nWidth * GetBytesPerPixel(gdi->dstFormat);
- pDstData = _aligned_malloc(nHeight * nDstStep * 1ULL, 16);
+ pDstData = _aligned_malloc(1ull * nHeight * nDstStep, 16);
if (!pDstData)
return NULL;
--- a/libfreerdp/gdi/shape.c
+++ b/libfreerdp/gdi/shape.c
@@ -158,7 +158,7 @@
for (y = 1; y < nHeight; y++)
{
BYTE* dstp = gdi_get_bitmap_pointer(hdc, nXDest, nYDest + y);
- memcpy(dstp, srcp, nWidth * formatSize * 1ULL);
+ memcpy(dstp, srcp, 1ull * nWidth * formatSize);
}
break;
--- a/libfreerdp/gdi/video.c
+++ b/libfreerdp/gdi/video.c
@@ -66,7 +66,7 @@
ret->base.w = width;
ret->base.h = height;
ret->scanline = width * bpp;
- ret->image = _aligned_malloc(ret->scanline * height * 1ULL, 16);
+ ret->image = _aligned_malloc(1ull * ret->scanline * height, 16);
if (!ret->image)
{
--- a/libfreerdp/primitives/prim_copy.c
+++ b/libfreerdp/primitives/prim_copy.c
@@ -60,14 +60,14 @@
if (p1m <= p2m)
{
- ULONG_PTR p1mEnd = p1m + (height - 1) * p1Step * 1ULL + width * p1Size * 1ULL;
+ ULONG_PTR p1mEnd = p1m + 1ull * (height - 1) * p1Step + 1ull * width * p1Size;
if (p1mEnd > p2m)
return TRUE;
}
else
{
- ULONG_PTR p2mEnd = p2m + (height - 1) * p2Step * 1ULL + width * p2Size * 1ULL;
+ ULONG_PTR p2mEnd = p2m + 1ull * (height - 1) * p2Step + 1ull * width * p2Size;
if (p2mEnd > p1m)
return TRUE;
--- a/libfreerdp/primitives/primitives.c
+++ b/libfreerdp/primitives/primitives.c
@@ -157,7 +157,7 @@
if (!buf)
goto fail;
- winpr_RAND(buf, roi->width * roi->height * 1ULL);
+ winpr_RAND(buf, 1ull * roi->width * roi->height);
ret->steps[i] = roi->width;
}
--- a/uwac/libuwac/uwac-window.c
+++ b/uwac/libuwac/uwac-window.c
@@ -316,14 +316,14 @@
w->buffers = newBuffers;
memset(w->buffers + w->nbuffers, 0, sizeof(UwacBuffer) * nbuffers);
- fd = uwac_create_anonymous_file(allocSize * nbuffers * 1ULL);
+ fd = uwac_create_anonymous_file(1ull * allocSize * nbuffers);
if (fd < 0)
{
return UWAC_ERROR_INTERNAL;
}
- data = mmap(NULL, allocSize * nbuffers * 1ULL, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
+ data = mmap(NULL, 1ull * allocSize * nbuffers, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
if (data == MAP_FAILED)
{
@@ -335,7 +335,7 @@
if (!pool)
{
- munmap(data, allocSize * nbuffers * 1ULL);
+ munmap(data, 1ull * allocSize * nbuffers);
ret = UWAC_ERROR_NOMEMORY;
goto error_mmap;
}
@@ -756,7 +756,7 @@
if (copyContentForNextFrame)
memcpy(nextDrawingBuffer->data, pendingBuffer->data,
- window->stride * window->height * 1ULL);
+ 1ull * window->stride * window->height);
UwacSubmitBufferPtr(window, pendingBuffer);
return UWAC_SUCCESS;
--- a/winpr/libwinpr/utils/lodepng/lodepng.c
+++ b/winpr/libwinpr/utils/lodepng/lodepng.c
@@ -3814,7 +3814,7 @@
{
size_t i;
ColorTree tree;
- size_t numpixels = w * h * 1ULL;
+ size_t numpixels = 1ull * w * h;
if (lodepng_color_mode_equal(mode_out, mode_in))
{
@@ -3917,7 +3917,7 @@
unsigned error = 0;
size_t i;
ColorTree tree;
- size_t numpixels = w * h * 1ULL;
+ size_t numpixels = 1ull * w * h;
unsigned colored_done = lodepng_is_greyscale_type(mode) ? 1 : 0;
unsigned alpha_done = lodepng_can_have_alpha(mode) ? 0 : 1;
@@ -4538,7 +4538,7 @@
if (bpp < 8 && w * bpp != ((w * bpp + 7) / 8) * 8)
{
CERROR_TRY_RETURN(unfilter(in, in, w, h, bpp));
- removePaddingBits(out, in, w * bpp * 1ULL, ((w * bpp + 7ULL) / 8ULL) * 8ULL, h);
+ removePaddingBits(out, in, 1ull * w * bpp, ((w * bpp + 7ULL) / 8ULL) * 8ULL, h);
}
/*we can immediatly filter into the out buffer, no other steps needed*/
else
@@ -4564,7 +4564,7 @@
bits between the different reduced images: each reduced image still starts nicely at
a byte*/
removePaddingBits(&in[passstart[i]], &in[padded_passstart[i]],
- passw[i] * bpp * 1ULL, ((passw[i] * bpp + 7ULL) / 8ULL) * 8ULL,
+ 1ull * passw[i] * bpp, ((passw[i] * bpp + 7ULL) / 8ULL) * 8ULL,
passh[i]);
}
}
@@ -6055,7 +6055,7 @@
error = 83; /*alloc fail*/
if (!error)
{
- addPaddingBits(padded, in, ((w * bpp + 7ULL) / 8ULL) * 8ULL, w * bpp * 1ULL, h);
+ addPaddingBits(padded, in, ((w * bpp + 7ULL) / 8ULL) * 8ULL, 1ull * w * bpp, h);
error = filter(*out, padded, w, h, &info_png->color, settings);
}
free(padded);
@@ -6099,8 +6099,8 @@
if (!padded)
ERROR_BREAK(83); /*alloc fail*/
addPaddingBits(padded, &adam7[passstart[i]],
- ((passw[i] * bpp + 7ULL) / 8ULL) * 8ULL, passw[i] * bpp * 1ULL,
- passh[i] * 1ULL);
+ ((passw[i] * bpp + 7ULL) / 8ULL) * 8ULL, 1ull * passw[i] * bpp,
+ 1ull * passh[i]);
error = filter(&(*out)[filter_passstart[i]], padded, passw[i], passh[i],
&info_png->color, settings);
free(padded);

1
debian/patches/series vendored
View File

@ -35,3 +35,4 @@
0043-CVE-2023-39356-part2.patch
0044-CVE-2023-40567.patch
0045-CVE-2023-40181.patch
0046-CVE-2023-40186.patch