mirror of https://github.com/FreeRDP/FreeRDP
Fixed OOB Read in license_read_new_or_upgrade_license_packet
CVE-2020-11099 thanks to @antonio-morales for finding this.
This commit is contained in:
parent
152bf0cda4
commit
6ade7b4cbf
|
@ -1252,6 +1252,9 @@ BOOL license_read_new_or_upgrade_license_packet(rdpLicense* license, wStream* s)
|
|||
if (!licenseStream)
|
||||
goto out_free_blob;
|
||||
|
||||
if (Stream_GetRemainingLength(licenseStream) < 8)
|
||||
goto out_free_stream;
|
||||
|
||||
Stream_Read_UINT16(licenseStream, os_minor);
|
||||
Stream_Read_UINT16(licenseStream, os_major);
|
||||
|
||||
|
@ -1266,6 +1269,8 @@ BOOL license_read_new_or_upgrade_license_packet(rdpLicense* license, wStream* s)
|
|||
Stream_Seek(licenseStream, cbScope);
|
||||
|
||||
/* CompanyName */
|
||||
if (Stream_GetRemainingLength(licenseStream) < 4)
|
||||
goto out_free_stream;
|
||||
Stream_Read_UINT32(licenseStream, cbCompanyName);
|
||||
if (Stream_GetRemainingLength(licenseStream) < cbCompanyName)
|
||||
goto out_free_stream;
|
||||
|
@ -1276,6 +1281,8 @@ BOOL license_read_new_or_upgrade_license_packet(rdpLicense* license, wStream* s)
|
|||
Stream_Seek(licenseStream, cbCompanyName);
|
||||
|
||||
/* productId */
|
||||
if (Stream_GetRemainingLength(licenseStream) < 4)
|
||||
goto out_free_stream;
|
||||
Stream_Read_UINT32(licenseStream, cbProductId);
|
||||
if (Stream_GetRemainingLength(licenseStream) < cbProductId)
|
||||
goto out_free_stream;
|
||||
|
@ -1286,6 +1293,8 @@ BOOL license_read_new_or_upgrade_license_packet(rdpLicense* license, wStream* s)
|
|||
Stream_Seek(licenseStream, cbProductId);
|
||||
|
||||
/* licenseInfo */
|
||||
if (Stream_GetRemainingLength(licenseStream) < 4)
|
||||
goto out_free_stream;
|
||||
Stream_Read_UINT32(licenseStream, cbLicenseInfo);
|
||||
if (Stream_GetRemainingLength(licenseStream) < cbLicenseInfo)
|
||||
goto out_free_stream;
|
||||
|
|
Loading…
Reference in New Issue