File xrdp-CVE-2022-23477.patch of Package xrdp.31863
From 1ba314c80ebd18ee4c4d8459b79d6ee8badf1ad0 Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Tue, 6 Dec 2022 11:31:31 +0000
Subject: [PATCH] CVE-2022-23477
Prevent buffer overflow for oversized audio format from client
---
sesman/chansrv/audin.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/sesman/chansrv/audin.c b/sesman/chansrv/audin.c
index 1ca2de30..9d25749b 100644
--- a/sesman/chansrv/audin.c
+++ b/sesman/chansrv/audin.c
@@ -181,15 +181,16 @@ audin_send_open(int chan_id)
int error;
int bytes;
struct stream *s;
- struct xr_wave_format_ex *wf;
+ struct xr_wave_format_ex *wf = g_client_formats[g_current_format];
LOG(0, ("audin_send_open:"));
make_stream(s);
- init_stream(s, 8192);
+ /* wf->cbSize was checked when the format was received */
+ init_stream(s, wf->cbSize + 64);
+
out_uint8(s, MSG_SNDIN_OPEN);
out_uint32_le(s, 2048); /* FramesPerPacket */
out_uint32_le(s, g_current_format); /* initialFormat */
- wf = g_client_formats[g_current_format];
out_uint16_le(s, wf->wFormatTag);
out_uint16_le(s, wf->nChannels);
out_uint32_le(s, wf->nSamplesPerSec);
--
2.39.0