File freerdp-CVE-2018-8784.patch of Package freerdp.6948

From 17c363a5162fd4dc77b1df54e48d7bd9bf6b3be7 Mon Sep 17 00:00:00 2001
From: Armin Novak <armin.novak@thincast.com>
Date: Mon, 22 Oct 2018 17:51:26 +0200
Subject: [PATCH 6/6] Fixed CVE-2018-8784

Thanks to Eyal Itkin from Check Point Software Technologies.
---
 libfreerdp/codec/zgfx.c | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

Index: b/libfreerdp/codec/zgfx.c
===================================================================
--- a/libfreerdp/codec/zgfx.c	2019-01-09 22:14:39.334977268 +0800
+++ b/libfreerdp/codec/zgfx.c	2019-01-09 22:15:28.047296783 +0800
@@ -132,6 +132,7 @@ static INLINE BOOL zgfx_GetBits(ZGFX_CON
 	_zgfx->cBitsCurrent -= _nbits;
 	_zgfx->bits = _zgfx->BitsCurrent >> _zgfx->cBitsCurrent;
 	_zgfx->BitsCurrent &= ((1 << _zgfx->cBitsCurrent) - 1);
+	return TRUE;
 }
 
 void zgfx_history_buffer_ring_write(ZGFX_CONTEXT* zgfx, BYTE* src, UINT32 count)
@@ -228,7 +229,7 @@ int zgfx_decompress_segment(ZGFX_CONTEXT
 	UINT32 count;
 	UINT32 distance;
 
-	if (cbSegment < 1)
+	if (!zgfx || cbSegment < 1)
 		return -1;
 
 	flags = pbSegment[0]; /* header (1 byte) */
@@ -241,6 +242,10 @@ int zgfx_decompress_segment(ZGFX_CONTEXT
 	if (!(flags & PACKET_COMPRESSED))
 	{
 		zgfx_history_buffer_ring_write(zgfx, pbSegment, cbSegment);
+
+		if (cbSegment > sizeof(zgfx->OutputBuffer))
+			return -1;
+
 		CopyMemory(zgfx->OutputBuffer, pbSegment, cbSegment);
 		zgfx->OutputCount = cbSegment;
 
@@ -283,6 +288,9 @@ int zgfx_decompress_segment(ZGFX_CONTEXT
 					if (++zgfx->HistoryIndex == zgfx->HistoryBufferSize)
 						zgfx->HistoryIndex = 0;
 
+					if (zgfx->OutputCount >= sizeof(zgfx->OutputBuffer))
+						return -1;
+
 					zgfx->OutputBuffer[zgfx->OutputCount++] = c;
 				}
 				else
@@ -319,6 +327,9 @@ int zgfx_decompress_segment(ZGFX_CONTEXT
 							count += zgfx->bits;
 						}
 
+						if (count > sizeof(zgfx->OutputBuffer) - zgfx->OutputCount)
+							return -1;
+
 						zgfx_history_buffer_ring_read(zgfx, distance, &(zgfx->OutputBuffer[zgfx->OutputCount]), count);
 						zgfx_history_buffer_ring_write(zgfx, &(zgfx->OutputBuffer[zgfx->OutputCount]), count);
 						zgfx->OutputCount += count;
@@ -334,6 +345,9 @@ int zgfx_decompress_segment(ZGFX_CONTEXT
 						zgfx->cBitsCurrent = 0;
 						zgfx->BitsCurrent = 0;
 
+						if (count > sizeof(zgfx->OutputBuffer) - zgfx->OutputCount)
+							return -1;
+
 						CopyMemory(&(zgfx->OutputBuffer[zgfx->OutputCount]), zgfx->pbInputCurrent, count);
 						zgfx_history_buffer_ring_write(zgfx, zgfx->pbInputCurrent, count);
openSUSE Build Service is sponsored by