File freerdp-CVE-2023-40574-to-2023-40576.patch of Package freerdp.34872
From 0556e5641631684c7677967183ab734d1f7194d3 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Wed, 23 Aug 2023 08:38:23 +0200
Subject: [PATCH 1/2] [primitives,yuv] clean up code, assert arguments
---
libfreerdp/primitives/prim_YUV.c | 30 ++++++++++++++++++------------
1 file changed, 18 insertions(+), 12 deletions(-)
diff --git a/libfreerdp/primitives/prim_YUV.c b/libfreerdp/primitives/prim_YUV.c
index 0bca4befe..4799a4b63 100644
--- a/libfreerdp/primitives/prim_YUV.c
+++ b/libfreerdp/primitives/prim_YUV.c
@@ -382,21 +382,24 @@ static pstatus_t general_YUV444ToRGB_8u_P3AC4R_general(const BYTE* const pSrc[3]
UINT32 dstStep, UINT32 DstFormat,
const prim_size_t* roi)
{
- UINT32 x, y;
- UINT32 nWidth, nHeight;
const DWORD formatSize = GetBytesPerPixel(DstFormat);
fkt_writePixel writePixel = getPixelWriteFunction(DstFormat, FALSE);
- nWidth = roi->width;
- nHeight = roi->height;
- for (y = 0; y < nHeight; y++)
+ WINPR_ASSERT(pSrc);
+ WINPR_ASSERT(pDst);
+ WINPR_ASSERT(roi);
+
+ const UINT32 nWidth = roi->width;
+ const UINT32 nHeight = roi->height;
+
+ for (UINT32 y = 0; y < nHeight; y++)
{
const BYTE* pY = pSrc[0] + y * srcStep[0];
const BYTE* pU = pSrc[1] + y * srcStep[1];
const BYTE* pV = pSrc[2] + y * srcStep[2];
BYTE* pRGB = pDst + y * dstStep;
- for (x = 0; x < nWidth; x++)
+ for (UINT32 x = 0; x < nWidth; x++)
{
const BYTE Y = pY[x];
const BYTE U = pU[x];
@@ -416,20 +419,23 @@ static pstatus_t general_YUV444ToRGB_8u_P3AC4R_BGRX(const BYTE* const pSrc[3],
UINT32 dstStep, UINT32 DstFormat,
const prim_size_t* roi)
{
- UINT32 x, y;
- UINT32 nWidth, nHeight;
const DWORD formatSize = GetBytesPerPixel(DstFormat);
- nWidth = roi->width;
- nHeight = roi->height;
- for (y = 0; y < nHeight; y++)
+ WINPR_ASSERT(pSrc);
+ WINPR_ASSERT(pDst);
+ WINPR_ASSERT(roi);
+
+ const UINT32 nWidth = roi->width;
+ const UINT32 nHeight = roi->height;
+
+ for (UINT32 y = 0; y < nHeight; y++)
{
const BYTE* pY = pSrc[0] + y * srcStep[0];
const BYTE* pU = pSrc[1] + y * srcStep[1];
const BYTE* pV = pSrc[2] + y * srcStep[2];
BYTE* pRGB = pDst + y * dstStep;
- for (x = 0; x < nWidth; x++)
+ for (UINT32 x = 0; x < nWidth; x++)
{
const BYTE Y = pY[x];
const BYTE U = pU[x];
--
2.43.0
From 9148e1619ef82f67b1a9db0a685a840f18df6f1d Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Wed, 23 Aug 2023 09:24:00 +0200
Subject: [PATCH 2/2] [codec,interleaved] fix bounds checks
---
libfreerdp/codec/include/bitmap.c | 54 ++++++++++-----------------
libfreerdp/codec/interleaved.c | 61 ++++++++++++++++++++++---------
2 files changed, 63 insertions(+), 52 deletions(-)
diff --git a/libfreerdp/codec/include/bitmap.c b/libfreerdp/codec/include/bitmap.c
index 38bcaa859..355c697e0 100644
--- a/libfreerdp/codec/include/bitmap.c
+++ b/libfreerdp/codec/include/bitmap.c
@@ -46,7 +46,6 @@ static INLINE BYTE* WRITEFGBGIMAGE(BYTE* pbDest, const BYTE* pbDestEnd, UINT32 r
data = xorPixel;
DESTWRITEPIXEL(pbDest, data);
- DESTNEXTPIXEL(pbDest);
mask = mask << 1;
});
return pbDest;
@@ -76,7 +75,6 @@ static INLINE BYTE* WRITEFIRSTLINEFGBGIMAGE(BYTE* pbDest, const BYTE* pbDestEnd,
data = BLACK_PIXEL;
DESTWRITEPIXEL(pbDest, data);
- DESTNEXTPIXEL(pbDest);
mask = mask << 1;
});
return pbDest;
@@ -134,6 +132,8 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY
if (code == REGULAR_BG_RUN || code == MEGA_MEGA_BG_RUN)
{
runLength = ExtractRunLength(code, pbSrc, &advance);
+ if (advance == 0)
+ return FALSE;
pbSrc = pbSrc + advance;
if (fFirstLine)
@@ -144,17 +144,13 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY
return FALSE;
DESTWRITEPIXEL(pbDest, fgPel);
- DESTNEXTPIXEL(pbDest);
runLength = runLength - 1;
}
if (!ENSURE_CAPACITY(pbDest, pbDestEnd, runLength))
return FALSE;
- UNROLL(runLength, {
- DESTWRITEPIXEL(pbDest, BLACK_PIXEL);
- DESTNEXTPIXEL(pbDest);
- });
+ UNROLL(runLength, { DESTWRITEPIXEL(pbDest, BLACK_PIXEL); });
}
else
{
@@ -166,7 +162,6 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY
return FALSE;
DESTWRITEPIXEL(pbDest, temp ^ fgPel);
- DESTNEXTPIXEL(pbDest);
runLength--;
}
@@ -176,7 +171,6 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY
UNROLL(runLength, {
DESTREADPIXEL(temp, pbDest - rowDelta);
DESTWRITEPIXEL(pbDest, temp);
- DESTNEXTPIXEL(pbDest);
});
}
@@ -197,14 +191,15 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY
case LITE_SET_FG_FG_RUN:
case MEGA_MEGA_SET_FG_RUN:
runLength = ExtractRunLength(code, pbSrc, &advance);
+ if (advance == 0)
+ return FALSE;
pbSrc = pbSrc + advance;
if (code == LITE_SET_FG_FG_RUN || code == MEGA_MEGA_SET_FG_RUN)
{
- if (pbSrc >= pbEnd)
+ if (pbSrc + sizeof(fgPel) >= pbEnd)
return FALSE;
SRCREADPIXEL(fgPel, pbSrc);
- SRCNEXTPIXEL(pbSrc);
}
if (!ENSURE_CAPACITY(pbDest, pbDestEnd, runLength))
@@ -212,17 +207,13 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY
if (fFirstLine)
{
- UNROLL(runLength, {
- DESTWRITEPIXEL(pbDest, fgPel);
- DESTNEXTPIXEL(pbDest);
- });
+ UNROLL(runLength, { DESTWRITEPIXEL(pbDest, fgPel); });
}
else
{
UNROLL(runLength, {
DESTREADPIXEL(temp, pbDest - rowDelta);
DESTWRITEPIXEL(pbDest, temp ^ fgPel);
- DESTNEXTPIXEL(pbDest);
});
}
@@ -232,24 +223,22 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY
case LITE_DITHERED_RUN:
case MEGA_MEGA_DITHERED_RUN:
runLength = ExtractRunLength(code, pbSrc, &advance);
+ if (advance == 0)
+ return FALSE;
pbSrc = pbSrc + advance;
- if (pbSrc >= pbEnd)
+ if (pbSrc + sizeof(pixelA) >= pbEnd)
return FALSE;
SRCREADPIXEL(pixelA, pbSrc);
- SRCNEXTPIXEL(pbSrc);
- if (pbSrc >= pbEnd)
+ if (pbSrc + sizeof(pixelB) >= pbEnd)
return FALSE;
SRCREADPIXEL(pixelB, pbSrc);
- SRCNEXTPIXEL(pbSrc);
if (!ENSURE_CAPACITY(pbDest, pbDestEnd, runLength * 2))
return FALSE;
UNROLL(runLength, {
DESTWRITEPIXEL(pbDest, pixelA);
- DESTNEXTPIXEL(pbDest);
DESTWRITEPIXEL(pbDest, pixelB);
- DESTNEXTPIXEL(pbDest);
});
break;
@@ -257,19 +246,17 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY
case REGULAR_COLOR_RUN:
case MEGA_MEGA_COLOR_RUN:
runLength = ExtractRunLength(code, pbSrc, &advance);
+ if (advance == 0)
+ return FALSE;
pbSrc = pbSrc + advance;
- if (pbSrc >= pbEnd)
+ if (pbSrc + sizeof(pixelA) >= pbEnd)
return FALSE;
SRCREADPIXEL(pixelA, pbSrc);
- SRCNEXTPIXEL(pbSrc);
if (!ENSURE_CAPACITY(pbDest, pbDestEnd, runLength))
return FALSE;
- UNROLL(runLength, {
- DESTWRITEPIXEL(pbDest, pixelA);
- DESTNEXTPIXEL(pbDest);
- });
+ UNROLL(runLength, { DESTWRITEPIXEL(pbDest, pixelA); });
break;
/* Handle Foreground/Background Image Orders. */
@@ -278,14 +265,15 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY
case LITE_SET_FG_FGBG_IMAGE:
case MEGA_MEGA_SET_FGBG_IMAGE:
runLength = ExtractRunLength(code, pbSrc, &advance);
+ if (advance == 0)
+ return FALSE;
pbSrc = pbSrc + advance;
- if (pbSrc >= pbEnd)
+ if (pbSrc + sizeof(fgPel) >= pbEnd)
return FALSE;
if (code == LITE_SET_FG_FGBG_IMAGE || code == MEGA_MEGA_SET_FGBG_IMAGE)
{
SRCREADPIXEL(fgPel, pbSrc);
- SRCNEXTPIXEL(pbSrc);
}
if (fFirstLine)
@@ -343,6 +331,8 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY
case REGULAR_COLOR_IMAGE:
case MEGA_MEGA_COLOR_IMAGE:
runLength = ExtractRunLength(code, pbSrc, &advance);
+ if (advance == 0)
+ return FALSE;
pbSrc = pbSrc + advance;
if (!ENSURE_CAPACITY(pbDest, pbDestEnd, runLength))
return FALSE;
@@ -351,9 +341,7 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY
if (pbSrc >= pbEnd)
return FALSE;
SRCREADPIXEL(temp, pbSrc);
- SRCNEXTPIXEL(pbSrc);
DESTWRITEPIXEL(pbDest, temp);
- DESTNEXTPIXEL(pbDest);
});
break;
@@ -405,7 +393,6 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY
return FALSE;
DESTWRITEPIXEL(pbDest, WHITE_PIXEL);
- DESTNEXTPIXEL(pbDest);
break;
/* Handle Black Order. */
@@ -416,7 +403,6 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY
return FALSE;
DESTWRITEPIXEL(pbDest, BLACK_PIXEL);
- DESTNEXTPIXEL(pbDest);
break;
default:
diff --git a/libfreerdp/codec/interleaved.c b/libfreerdp/codec/interleaved.c
index b76fe1ca3..223cb71fc 100644
--- a/libfreerdp/codec/interleaved.c
+++ b/libfreerdp/codec/interleaved.c
@@ -25,6 +25,8 @@
#include "config.h"
#endif
+#include <winpr/assert.h>
+
#include <freerdp/codec/interleaved.h>
#include <freerdp/log.h>
@@ -134,6 +136,9 @@ static INLINE UINT32 ExtractRunLength(UINT32 code, const BYTE* pbOrderHdr, UINT3
ladvance = 1;
runLength = 0;
+ WINPR_ASSERT(pbOrderHdr);
+ WINPR_ASSERT(advance);
+
switch (code)
{
case REGULAR_FGBG_IMAGE:
@@ -239,19 +244,26 @@ static INLINE void write_pixel_16(BYTE* _buf, UINT16 _pix)
#undef DESTWRITEPIXEL
#undef DESTREADPIXEL
#undef SRCREADPIXEL
-#undef DESTNEXTPIXEL
-#undef SRCNEXTPIXEL
#undef WRITEFGBGIMAGE
#undef WRITEFIRSTLINEFGBGIMAGE
#undef RLEDECOMPRESS
#undef RLEEXTRA
#undef WHITE_PIXEL
#define WHITE_PIXEL 0xFF
-#define DESTWRITEPIXEL(_buf, _pix) write_pixel_8(_buf, _pix)
+#define DESTWRITEPIXEL(_buf, _pix) \
+ do \
+ { \
+ write_pixel_8(_buf, _pix); \
+ _buf += 1; \
+ } while (0)
#define DESTREADPIXEL(_pix, _buf) _pix = (_buf)[0]
-#define SRCREADPIXEL(_pix, _buf) _pix = (_buf)[0]
-#define DESTNEXTPIXEL(_buf) _buf += 1
-#define SRCNEXTPIXEL(_buf) _buf += 1
+#define SRCREADPIXEL(_pix, _buf) \
+ do \
+ { \
+ _pix = (_buf)[0]; \
+ _buf += 1; \
+ } while (0)
+
#define WRITEFGBGIMAGE WriteFgBgImage8to8
#define WRITEFIRSTLINEFGBGIMAGE WriteFirstLineFgBgImage8to8
#define RLEDECOMPRESS RleDecompress8to8
@@ -263,19 +275,25 @@ static INLINE void write_pixel_16(BYTE* _buf, UINT16 _pix)
#undef DESTWRITEPIXEL
#undef DESTREADPIXEL
#undef SRCREADPIXEL
-#undef DESTNEXTPIXEL
-#undef SRCNEXTPIXEL
#undef WRITEFGBGIMAGE
#undef WRITEFIRSTLINEFGBGIMAGE
#undef RLEDECOMPRESS
#undef RLEEXTRA
#undef WHITE_PIXEL
#define WHITE_PIXEL 0xFFFF
-#define DESTWRITEPIXEL(_buf, _pix) write_pixel_16(_buf, _pix)
+#define DESTWRITEPIXEL(_buf, _pix) \
+ do \
+ { \
+ write_pixel_16(_buf, _pix); \
+ _buf += 2; \
+ } while (0)
#define DESTREADPIXEL(_pix, _buf) _pix = ((UINT16*)(_buf))[0]
-#define SRCREADPIXEL(_pix, _buf) _pix = (_buf)[0] | ((_buf)[1] << 8)
-#define DESTNEXTPIXEL(_buf) _buf += 2
-#define SRCNEXTPIXEL(_buf) _buf += 2
+#define SRCREADPIXEL(_pix, _buf) \
+ do \
+ { \
+ _pix = (_buf)[0] | ((_buf)[1] << 8); \
+ _buf += 2; \
+ } while (0)
#define WRITEFGBGIMAGE WriteFgBgImage16to16
#define WRITEFIRSTLINEFGBGIMAGE WriteFirstLineFgBgImage16to16
#define RLEDECOMPRESS RleDecompress16to16
@@ -287,19 +305,26 @@ static INLINE void write_pixel_16(BYTE* _buf, UINT16 _pix)
#undef DESTWRITEPIXEL
#undef DESTREADPIXEL
#undef SRCREADPIXEL
-#undef DESTNEXTPIXEL
-#undef SRCNEXTPIXEL
#undef WRITEFGBGIMAGE
#undef WRITEFIRSTLINEFGBGIMAGE
#undef RLEDECOMPRESS
#undef RLEEXTRA
#undef WHITE_PIXEL
#define WHITE_PIXEL 0xFFFFFF
-#define DESTWRITEPIXEL(_buf, _pix) write_pixel_24(_buf, _pix)
+#define DESTWRITEPIXEL(_buf, _pix) \
+ do \
+ { \
+ write_pixel_24(_buf, _pix); \
+ _buf += 3; \
+ } while (0)
#define DESTREADPIXEL(_pix, _buf) _pix = (_buf)[0] | ((_buf)[1] << 8) | ((_buf)[2] << 16)
-#define SRCREADPIXEL(_pix, _buf) _pix = (_buf)[0] | ((_buf)[1] << 8) | ((_buf)[2] << 16)
-#define DESTNEXTPIXEL(_buf) _buf += 3
-#define SRCNEXTPIXEL(_buf) _buf += 3
+#define SRCREADPIXEL(_pix, _buf) \
+ do \
+ { \
+ _pix = (_buf)[0] | ((_buf)[1] << 8) | ((_buf)[2] << 16); \
+ _buf += 3; \
+ } while (0)
+
#define WRITEFGBGIMAGE WriteFgBgImage24to24
#define WRITEFIRSTLINEFGBGIMAGE WriteFirstLineFgBgImage24to24
#define RLEDECOMPRESS RleDecompress24to24
--
2.43.0
