File freerdp-CVE-2024-22211.patch of Package freerdp

Overview Repositories Revisions Requests Users Attributes Meta

File freerdp-CVE-2024-22211.patch of Package freerdp

From df8e81440f34a35ba6bdbb10d2e7e81d8230acae Mon Sep 17 00:00:00 2001
From: Armin Novak <anovak@thincast.com>
Date: Sat, 13 Jan 2024 21:01:55 +0100
Subject: [PATCH] [codec,planar] check resolution for overflow

If the codec resolution is too large return an error as the internal
buffers would otherwise overflow.

(cherry picked from commit 44edab1deae4f8c901c00a00683f888cef36d853)
---
 libfreerdp/codec/planar.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libfreerdp/codec/planar.c b/libfreerdp/codec/planar.c
index 70346261e..76f70d6ba 100644
--- a/libfreerdp/codec/planar.c
+++ b/libfreerdp/codec/planar.c
@@ -1530,7 +1530,13 @@ BOOL freerdp_bitmap_planar_context_reset(BITMAP_PLANAR_CONTEXT* context, UINT32
 	context->bgr = FALSE;
 	context->maxWidth = PLANAR_ALIGN(width, 4);
 	context->maxHeight = PLANAR_ALIGN(height, 4);
-	context->maxPlaneSize = context->maxWidth * context->maxHeight;
+	const UINT64 tmp = (UINT64)context->maxWidth * context->maxHeight;
+	if (tmp > UINT32_MAX)
+		return FALSE;
+	context->maxPlaneSize = tmp;
+
+	if (context->maxWidth > UINT32_MAX / 4)
+		return FALSE;
 	context->nTempStep = context->maxWidth * 4;
 	free(context->planesBuffer);
 	free(context->pTempData);
-- 
2.45.2

Places

File freerdp-CVE-2024-22211.patch of Package freerdp

Places