diff --git a/debian/changelog b/debian/changelog index a9aec1e..0050a17 100644 --- a/debian/changelog +++ b/debian/changelog @@ -16,7 +16,7 @@ freerdp2 (2.3.0+dfsg1-2~deb10u3) UNRELEASED; urgency=medium * Backporting/Importing upstream patches for (Closes: #1051638): CVE-2023-39350 CVE-2023-39351 CVE-2023-39352 CVE-2023-39353 CVE-2023-39354 CVE-2023-39355 CVE-2023-39356 CVE-2023-39357 - CVE-2023-40181 + CVE-2023-40181 CVE-2023-40186 -- Tobias Frost Mon, 02 Oct 2023 17:10:48 +0200 diff --git a/debian/patches/0046-CVE-2023-40186.patch b/debian/patches/0046-CVE-2023-40186.patch new file mode 100644 index 0000000..3b859ab --- /dev/null +++ b/debian/patches/0046-CVE-2023-40186.patch @@ -0,0 +1,393 @@ +Description: Upstream fix for CVE-2023-40186 - IntegerOverflow leading to Out-Of-Bound Write Vulnerability in gdi_CreateSurface +Origin: https://github.com/FreeRDP/FreeRDP/commit/d8a1ac342ae375644c70579c33b5cf38fb43b083 +Bug: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hcj4-3c3r-5j3v +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051638 +From d8a1ac342ae375644c70579c33b5cf38fb43b083 Mon Sep 17 00:00:00 2001 +From: akallabeth +Date: Tue, 22 Aug 2023 09:41:28 +0200 +Subject: [PATCH] [warnings] fix integer multiplications + +Ensure the integer width for size arguments is 64bit in a +multiplication. Leading 64bit constant 1ull expands width, a trailing +one is ignored. + +(cherry picked from commit b3f0ab2814e39e0f779343c53699e7dc6c1b1c22) +--- + channels/rdpsnd/server/rdpsnd_main.c | 2 +- + client/X11/xf_gdi.c | 2 +- + client/X11/xf_gfx.c | 4 ++-- + client/X11/xf_graphics.c | 4 ++-- + client/X11/xf_rail.c | 4 ++-- + libfreerdp/codec/clear.c | 4 ++-- + libfreerdp/codec/color.c | 6 +++--- + libfreerdp/codec/h264.c | 6 +++--- + libfreerdp/codec/progressive.c | 2 +- + libfreerdp/gdi/bitmap.c | 2 +- + libfreerdp/gdi/gdi.c | 2 +- + libfreerdp/gdi/gfx.c | 4 ++-- + libfreerdp/gdi/graphics.c | 2 +- + libfreerdp/gdi/shape.c | 2 +- + libfreerdp/gdi/video.c | 2 +- + libfreerdp/primitives/prim_copy.c | 4 ++-- + libfreerdp/primitives/primitives.c | 2 +- + uwac/libuwac/uwac-window.c | 8 ++++---- + winpr/libwinpr/utils/lodepng/lodepng.c | 14 +++++++------- + 19 files changed, 38 insertions(+), 38 deletions(-) + +--- a/channels/rdpsnd/server/rdpsnd_main.c ++++ b/channels/rdpsnd/server/rdpsnd_main.c +@@ -422,7 +422,7 @@ + Stream_Seek(s, 3); /* bPad */ + start = Stream_GetPosition(s); + src = context->priv->out_buffer; +- length = context->priv->out_pending_frames * context->priv->src_bytes_per_frame * 1ULL; ++ length = 1ull * context->priv->out_pending_frames * context->priv->src_bytes_per_frame; + + if (!freerdp_dsp_encode(context->priv->dsp_context, context->src_format, src, length, s)) + return ERROR_INTERNAL_ERROR; +--- a/client/X11/xf_gdi.c ++++ b/client/X11/xf_gdi.c +@@ -1066,7 +1066,7 @@ + case RDP_CODEC_ID_NONE: + pSrcData = cmd->bmp.bitmapData; + format = gdi_get_pixel_format(cmd->bmp.bpp); +- size = cmd->bmp.width * cmd->bmp.height * GetBytesPerPixel(format) * 1ULL; ++ size = 1ull * cmd->bmp.width * cmd->bmp.height * GetBytesPerPixel(format); + if (size > cmd->bmp.bitmapDataLength) + { + WLog_ERR(TAG, "Short nocodec message: got %" PRIu32 " bytes, require %" PRIuz, +--- a/client/X11/xf_gfx.c ++++ b/client/X11/xf_gfx.c +@@ -288,7 +288,7 @@ + + surface->gdi.scanline = surface->gdi.width * GetBytesPerPixel(surface->gdi.format); + surface->gdi.scanline = x11_pad_scanline(surface->gdi.scanline, xfc->scanline_pad); +- size = surface->gdi.scanline * surface->gdi.height * 1ULL; ++ size = 1ull * surface->gdi.scanline * surface->gdi.height; + surface->gdi.data = (BYTE*)_aligned_malloc(size, 16); + + if (!surface->gdi.data) +@@ -312,7 +312,7 @@ + UINT32 bytes = GetBytesPerPixel(gdi->dstFormat); + surface->stageScanline = width * bytes; + surface->stageScanline = x11_pad_scanline(surface->stageScanline, xfc->scanline_pad); +- size = surface->stageScanline * surface->gdi.height * 1ULL; ++ size = 1ull * surface->stageScanline * surface->gdi.height; + surface->stage = (BYTE*)_aligned_malloc(size, 16); + + if (!surface->stage) +--- a/client/X11/xf_graphics.c ++++ b/client/X11/xf_graphics.c +@@ -304,7 +304,7 @@ + ci.height = yTargetSize; + ci.xhot = pointer->xPos * xscale; + ci.yhot = pointer->yPos * yscale; +- size = ci.height * ci.width * GetBytesPerPixel(CursorFormat) * 1ULL; ++ size = 1ull * ci.height * ci.width * GetBytesPerPixel(CursorFormat); + + if (xscale != 1 || yscale != 1) + { +@@ -391,7 +391,7 @@ + xpointer->nCursors = 0; + xpointer->mCursors = 0; + +- size = pointer->height * pointer->width * GetBytesPerPixel(CursorFormat) * 1ULL; ++ size = 1ull * pointer->height * pointer->width * GetBytesPerPixel(CursorFormat); + + if (!(xpointer->cursorPixels = (XcursorPixel*)_aligned_malloc(size, 16))) + return FALSE; +--- a/client/X11/xf_rail.c ++++ b/client/X11/xf_rail.c +@@ -532,7 +532,7 @@ + + cache->numCaches = settings->RemoteAppNumIconCaches; + cache->numCacheEntries = settings->RemoteAppNumIconCacheEntries; +- cache->entries = calloc(cache->numCaches * cache->numCacheEntries * 1ULL, sizeof(xfRailIcon)); ++ cache->entries = calloc(1ull * cache->numCaches * cache->numCacheEntries, sizeof(xfRailIcon)); + + if (!cache->entries) + { +@@ -602,7 +602,7 @@ + long* pixels; + int i; + int nelements; +- argbPixels = calloc(iconInfo->width * iconInfo->height * 1ULL, 4); ++ argbPixels = calloc(1ull * iconInfo->width * iconInfo->height, 4); + + if (!argbPixels) + goto error; +--- a/libfreerdp/codec/clear.c ++++ b/libfreerdp/codec/clear.c +@@ -566,7 +566,7 @@ + const UINT32 diffSize = (vBarEntry->count - vBarEntry->size) * bpp; + BYTE* tmp; + vBarEntry->size = vBarEntry->count; +- tmp = (BYTE*)realloc(vBarEntry->pixels, vBarEntry->count * bpp * 1ULL); ++ tmp = (BYTE*)realloc(vBarEntry->pixels, 1ull * vBarEntry->count * bpp); + + if (!tmp) + { +@@ -977,7 +977,7 @@ + if (glyphEntry->count > glyphEntry->size) + { + BYTE* tmp; +- tmp = realloc(glyphEntry->pixels, glyphEntry->count * bpp * 1ULL); ++ tmp = realloc(glyphEntry->pixels, 1ull * glyphEntry->count * bpp); + + if (!tmp) + { +--- a/libfreerdp/codec/color.c ++++ b/libfreerdp/codec/color.c +@@ -56,7 +56,7 @@ + * means of accessing individual pixels in blitting operations + */ + scanline = (width + 7) / 8; +- dstData = (BYTE*)_aligned_malloc(width * height * 1ULL, 16); ++ dstData = (BYTE*)_aligned_malloc(1ull * width * height, 16); + + if (!dstData) + return NULL; +@@ -545,7 +545,7 @@ + for (y = nYDst; y < nHeight; y++) + { + BYTE* pDstLine = &pDstData[y * nDstStep + nXDst * dstBytesPerPixel]; +- memset(pDstLine, 0, dstBytesPerPixel * (nWidth - nXDst) * 1ULL); ++ memset(pDstLine, 0, 1ull * dstBytesPerPixel * (nWidth - nXDst)); + } + + switch (xorBpp) +@@ -742,7 +742,7 @@ + for (y = 1; y < nHeight; y++) + { + BYTE* pDstLine = &pDstData[(y + nYDst) * nDstStep + nXDst * bpp]; +- memcpy(pDstLine, pFirstDstLineXOffset, nWidth * bpp * 1ULL); ++ memcpy(pDstLine, pFirstDstLineXOffset, 1ull * nWidth * bpp); + } + + return TRUE; +--- a/libfreerdp/codec/h264.c ++++ b/libfreerdp/codec/h264.c +@@ -63,9 +63,9 @@ + _aligned_free(h264->pYUVData[0]); + _aligned_free(h264->pYUVData[1]); + _aligned_free(h264->pYUVData[2]); +- h264->pYUVData[0] = _aligned_malloc(h264->iStride[0] * height * 1ULL, 16); +- h264->pYUVData[1] = _aligned_malloc(h264->iStride[1] * height * 1ULL, 16); +- h264->pYUVData[2] = _aligned_malloc(h264->iStride[2] * height * 1ULL, 16); ++ h264->pYUVData[0] = _aligned_malloc(1ull * h264->iStride[0] * height, 16); ++ h264->pYUVData[1] = _aligned_malloc(1ull * h264->iStride[1] * height, 16); ++ h264->pYUVData[2] = _aligned_malloc(1ull * h264->iStride[2] * height, 16); + + if (!h264->pYUVData[0] || !h264->pYUVData[1] || !h264->pYUVData[2]) + return FALSE; +--- a/libfreerdp/codec/progressive.c ++++ b/libfreerdp/codec/progressive.c +@@ -411,7 +411,7 @@ + tile->stride = 4 * tile->width; + + { +- size_t dataLen = tile->stride * tile->height * 1ULL; ++ size_t dataLen = 1ull * tile->stride * tile->height; + tile->data = (BYTE*)_aligned_malloc(dataLen, 16); + } + +--- a/libfreerdp/gdi/bitmap.c ++++ b/libfreerdp/gdi/bitmap.c +@@ -148,7 +148,7 @@ + hBitmap->width = nWidth; + hBitmap->height = nHeight; + hBitmap->data = +- _aligned_malloc(nWidth * nHeight * GetBytesPerPixel(hBitmap->format) * 1ULL, 16); ++ _aligned_malloc(1ull * nWidth * nHeight * GetBytesPerPixel(hBitmap->format), 16); + hBitmap->free = _aligned_free; + + if (!hBitmap->data) +--- a/libfreerdp/gdi/gdi.c ++++ b/libfreerdp/gdi/gdi.c +@@ -1057,7 +1057,7 @@ + + case RDP_CODEC_ID_NONE: + format = gdi_get_pixel_format(cmd->bmp.bpp); +- size = cmd->bmp.width * cmd->bmp.height * GetBytesPerPixel(format) * 1ULL; ++ size = 1ull * cmd->bmp.width * cmd->bmp.height * GetBytesPerPixel(format); + if (size > cmd->bmp.bitmapDataLength) + { + WLog_ERR(TAG, "Short nocodec message: got %" PRIu32 " bytes, require %" PRIuz, +--- a/libfreerdp/gdi/gfx.c ++++ b/libfreerdp/gdi/gfx.c +@@ -730,7 +730,7 @@ + { + UINT32 x, y; + +- if (Stream_GetRemainingLength(&s) < cmd->height * cmd->width * 1ULL) ++ if (Stream_GetRemainingLength(&s) < 1ull * cmd->height * cmd->width) + return ERROR_INVALID_DATA; + + for (y = cmd->top; y < cmd->top + cmd->height; y++) +@@ -1029,7 +1029,7 @@ + } + + surface->scanline = gfx_align_scanline(surface->width * 4UL, 16); +- surface->data = (BYTE*)_aligned_malloc(surface->scanline * surface->height * 1ULL, 16); ++ surface->data = (BYTE*)_aligned_malloc(1ull * surface->scanline * surface->height, 16); + + if (!surface->data) + { +--- a/libfreerdp/gdi/graphics.c ++++ b/libfreerdp/gdi/graphics.c +@@ -52,7 +52,7 @@ + return NULL; + + nDstStep = nWidth * GetBytesPerPixel(gdi->dstFormat); +- pDstData = _aligned_malloc(nHeight * nDstStep * 1ULL, 16); ++ pDstData = _aligned_malloc(1ull * nHeight * nDstStep, 16); + + if (!pDstData) + return NULL; +--- a/libfreerdp/gdi/shape.c ++++ b/libfreerdp/gdi/shape.c +@@ -158,7 +158,7 @@ + for (y = 1; y < nHeight; y++) + { + BYTE* dstp = gdi_get_bitmap_pointer(hdc, nXDest, nYDest + y); +- memcpy(dstp, srcp, nWidth * formatSize * 1ULL); ++ memcpy(dstp, srcp, 1ull * nWidth * formatSize); + } + + break; +--- a/libfreerdp/gdi/video.c ++++ b/libfreerdp/gdi/video.c +@@ -66,7 +66,7 @@ + ret->base.w = width; + ret->base.h = height; + ret->scanline = width * bpp; +- ret->image = _aligned_malloc(ret->scanline * height * 1ULL, 16); ++ ret->image = _aligned_malloc(1ull * ret->scanline * height, 16); + + if (!ret->image) + { +--- a/libfreerdp/primitives/prim_copy.c ++++ b/libfreerdp/primitives/prim_copy.c +@@ -60,14 +60,14 @@ + + if (p1m <= p2m) + { +- ULONG_PTR p1mEnd = p1m + (height - 1) * p1Step * 1ULL + width * p1Size * 1ULL; ++ ULONG_PTR p1mEnd = p1m + 1ull * (height - 1) * p1Step + 1ull * width * p1Size; + + if (p1mEnd > p2m) + return TRUE; + } + else + { +- ULONG_PTR p2mEnd = p2m + (height - 1) * p2Step * 1ULL + width * p2Size * 1ULL; ++ ULONG_PTR p2mEnd = p2m + 1ull * (height - 1) * p2Step + 1ull * width * p2Size; + + if (p2mEnd > p1m) + return TRUE; +--- a/libfreerdp/primitives/primitives.c ++++ b/libfreerdp/primitives/primitives.c +@@ -157,7 +157,7 @@ + if (!buf) + goto fail; + +- winpr_RAND(buf, roi->width * roi->height * 1ULL); ++ winpr_RAND(buf, 1ull * roi->width * roi->height); + ret->steps[i] = roi->width; + } + +--- a/uwac/libuwac/uwac-window.c ++++ b/uwac/libuwac/uwac-window.c +@@ -316,14 +316,14 @@ + + w->buffers = newBuffers; + memset(w->buffers + w->nbuffers, 0, sizeof(UwacBuffer) * nbuffers); +- fd = uwac_create_anonymous_file(allocSize * nbuffers * 1ULL); ++ fd = uwac_create_anonymous_file(1ull * allocSize * nbuffers); + + if (fd < 0) + { + return UWAC_ERROR_INTERNAL; + } + +- data = mmap(NULL, allocSize * nbuffers * 1ULL, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); ++ data = mmap(NULL, 1ull * allocSize * nbuffers, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); + + if (data == MAP_FAILED) + { +@@ -335,7 +335,7 @@ + + if (!pool) + { +- munmap(data, allocSize * nbuffers * 1ULL); ++ munmap(data, 1ull * allocSize * nbuffers); + ret = UWAC_ERROR_NOMEMORY; + goto error_mmap; + } +@@ -756,7 +756,7 @@ + + if (copyContentForNextFrame) + memcpy(nextDrawingBuffer->data, pendingBuffer->data, +- window->stride * window->height * 1ULL); ++ 1ull * window->stride * window->height); + + UwacSubmitBufferPtr(window, pendingBuffer); + return UWAC_SUCCESS; +--- a/winpr/libwinpr/utils/lodepng/lodepng.c ++++ b/winpr/libwinpr/utils/lodepng/lodepng.c +@@ -3814,7 +3814,7 @@ + { + size_t i; + ColorTree tree; +- size_t numpixels = w * h * 1ULL; ++ size_t numpixels = 1ull * w * h; + + if (lodepng_color_mode_equal(mode_out, mode_in)) + { +@@ -3917,7 +3917,7 @@ + unsigned error = 0; + size_t i; + ColorTree tree; +- size_t numpixels = w * h * 1ULL; ++ size_t numpixels = 1ull * w * h; + + unsigned colored_done = lodepng_is_greyscale_type(mode) ? 1 : 0; + unsigned alpha_done = lodepng_can_have_alpha(mode) ? 0 : 1; +@@ -4538,7 +4538,7 @@ + if (bpp < 8 && w * bpp != ((w * bpp + 7) / 8) * 8) + { + CERROR_TRY_RETURN(unfilter(in, in, w, h, bpp)); +- removePaddingBits(out, in, w * bpp * 1ULL, ((w * bpp + 7ULL) / 8ULL) * 8ULL, h); ++ removePaddingBits(out, in, 1ull * w * bpp, ((w * bpp + 7ULL) / 8ULL) * 8ULL, h); + } + /*we can immediatly filter into the out buffer, no other steps needed*/ + else +@@ -4564,7 +4564,7 @@ + bits between the different reduced images: each reduced image still starts nicely at + a byte*/ + removePaddingBits(&in[passstart[i]], &in[padded_passstart[i]], +- passw[i] * bpp * 1ULL, ((passw[i] * bpp + 7ULL) / 8ULL) * 8ULL, ++ 1ull * passw[i] * bpp, ((passw[i] * bpp + 7ULL) / 8ULL) * 8ULL, + passh[i]); + } + } +@@ -6055,7 +6055,7 @@ + error = 83; /*alloc fail*/ + if (!error) + { +- addPaddingBits(padded, in, ((w * bpp + 7ULL) / 8ULL) * 8ULL, w * bpp * 1ULL, h); ++ addPaddingBits(padded, in, ((w * bpp + 7ULL) / 8ULL) * 8ULL, 1ull * w * bpp, h); + error = filter(*out, padded, w, h, &info_png->color, settings); + } + free(padded); +@@ -6099,8 +6099,8 @@ + if (!padded) + ERROR_BREAK(83); /*alloc fail*/ + addPaddingBits(padded, &adam7[passstart[i]], +- ((passw[i] * bpp + 7ULL) / 8ULL) * 8ULL, passw[i] * bpp * 1ULL, +- passh[i] * 1ULL); ++ ((passw[i] * bpp + 7ULL) / 8ULL) * 8ULL, 1ull * passw[i] * bpp, ++ 1ull * passh[i]); + error = filter(&(*out)[filter_passstart[i]], padded, passw[i], passh[i], + &info_png->color, settings); + free(padded); diff --git a/debian/patches/series b/debian/patches/series index b4b60f6..23a7f86 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -35,3 +35,4 @@ 0043-CVE-2023-39356-part2.patch 0044-CVE-2023-40567.patch 0045-CVE-2023-40181.patch +0046-CVE-2023-40186.patch