File freerdp-CVE-2022-39282.patch of Package freerdp.27686
From 08748affcef654544595bff0903e735b777b4753 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Thu, 6 Oct 2022 09:12:40 +0200
Subject: [PATCH] Fix length checks in parallel driver
The length requested was not checked against the length read from
the port.
(cherry picked from commit 094cc5a4596c299595b732effd59ee149181fd61)
---
channels/parallel/client/parallel_main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/channels/parallel/client/parallel_main.c b/channels/parallel/client/parallel_main.c
index af3e82703..993605a65 100644
--- a/channels/parallel/client/parallel_main.c
+++ b/channels/parallel/client/parallel_main.c
@@ -159,7 +159,7 @@ static UINT parallel_process_irp_read(PARALLEL_DEVICE* parallel, IRP* irp)
return ERROR_INVALID_DATA;
Stream_Read_UINT32(irp->input, Length);
Stream_Read_UINT64(irp->input, Offset);
- buffer = (BYTE*)malloc(Length);
+ buffer = (BYTE*)calloc(Length, sizeof(BYTE));
if (!buffer)
{
@@ -178,6 +178,7 @@ static UINT parallel_process_irp_read(PARALLEL_DEVICE* parallel, IRP* irp)
}
else
{
+ Length = status;
}
Stream_Write_UINT32(irp->output, Length);
--
2.35.3