File freerdp-CVE-2022-39320.patch of Package freerdp.27686
From ca1ff058bda0852b85891bd44d270f9c5bc4ac2a Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Thu, 13 Oct 2022 09:00:48 +0200
Subject: [PATCH] Added missing length check in urb_control_transfer
(cherry picked from commit ce838e2477cb8173ea5e98f35ad55ff41ea5117d)
---
channels/urbdrc/client/data_transfer.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/channels/urbdrc/client/data_transfer.c b/channels/urbdrc/client/data_transfer.c
index bbb6104e3..575e53c36 100644
--- a/channels/urbdrc/client/data_transfer.c
+++ b/channels/urbdrc/client/data_transfer.c
@@ -671,7 +671,11 @@ static UINT urb_control_transfer(IUDEVICE* pdev, URBDRC_CHANNEL_CALLBACK* callba
buffer = Stream_Pointer(out);
if (transferDir == USBD_TRANSFER_DIRECTION_OUT)
+ {
+ if (Stream_GetRemainingLength(s) < OutputBufferSize)
+ return ERROR_INVALID_DATA;
Stream_Copy(s, out, OutputBufferSize);
+ }
/** process TS_URB_CONTROL_TRANSFER */
if (!pdev->control_transfer(pdev, RequestId, EndpointAddress, TransferFlags, bmRequestType,
--
2.39.1