From 09b9d4f1994a674c4ec85b4947aa656eda1aed8a Mon Sep 17 00:00:00 2001
From: Armin Novak <armin.novak@thincast.com>
Date: Mon, 22 Oct 2018 16:30:20 +0200
Subject: [PATCH] Fixed CVE-2018-8787

Thanks to Eyal Itkin from Check Point Software Technologies.
---
 libfreerdp/gdi/graphics.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/libfreerdp/gdi/graphics.c b/libfreerdp/gdi/graphics.c
index 4afae48d1..159198756 100644
--- a/libfreerdp/gdi/graphics.c
+++ b/libfreerdp/gdi/graphics.c
@@ -141,9 +141,17 @@ static BOOL gdi_Bitmap_Decompress(rdpContext* context, rdpBitmap* bitmap,
 {
 	UINT32 SrcSize = length;
 	rdpGdi* gdi = context->gdi;
+	UINT32 size = DstWidth * DstHeight;
 	bitmap->compressed = FALSE;
 	bitmap->format = gdi->dstFormat;
-	bitmap->length = DstWidth * DstHeight * GetBytesPerPixel(bitmap->format);
+
+	if ((GetBytesPerPixel(bitmap->format) == 0) ||
+	    (DstWidth == 0) || (DstHeight == 0) || (DstWidth > UINT32_MAX / DstHeight) ||
+	    (size > (UINT32_MAX / GetBytesPerPixel(bitmap->format))))
+		return FALSE;
+
+	size *= GetBytesPerPixel(bitmap->format);
+	bitmap->length = size;
 	bitmap->data = (BYTE*) _aligned_malloc(bitmap->length, 16);
 
 	if (!bitmap->data)