From a84b303c2387441287c48bd88a73c92d6f0b8a00 Mon Sep 17 00:00:00 2001 From: Armin Novak Date: Wed, 23 Oct 2024 10:33:17 +0200 Subject: [PATCH 1/6] [sysconf] _SC_GETPW_R_SIZE_MAX return checks fix possible overflow with value returned from sysconf(_SC_GETPW_R_SIZE_MAX) --- winpr/libwinpr/shell/shell.c | 6 +++--- winpr/libwinpr/sspicli/sspicli.c | 5 +++-- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/winpr/libwinpr/shell/shell.c b/winpr/libwinpr/shell/shell.c index 2ef907709..a9cab579d 100644 --- a/winpr/libwinpr/shell/shell.c +++ b/winpr/libwinpr/shell/shell.c @@ -59,11 +59,11 @@ BOOL GetUserProfileDirectoryA(HANDLE hToken, LPSTR lpProfileDir, LPDWORD lpcchSi } long buflen = sysconf(_SC_GETPW_R_SIZE_MAX); - - if (buflen == -1) + if (buflen < 0) buflen = 8196; - char* buf = (char*)malloc(buflen); + const size_t s = 1ULL + (size_t)buflen; + char* buf = calloc(s, sizeof(char)); if (!buf) return FALSE; diff --git a/winpr/libwinpr/sspicli/sspicli.c b/winpr/libwinpr/sspicli/sspicli.c index 68524363d..5d6b349c6 100644 --- a/winpr/libwinpr/sspicli/sspicli.c +++ b/winpr/libwinpr/sspicli/sspicli.c @@ -153,10 +153,11 @@ BOOL LogonUserA(LPCSTR lpszUsername, LPCSTR lpszDomain, LPCSTR lpszPassword, DWO } long buflen = sysconf(_SC_GETPW_R_SIZE_MAX); - if (buflen == -1) + if (buflen < 0) buflen = 8196; - char* buf = (char*)calloc(buflen + 1, sizeof(char)); + const size_t s = 1ULL + (size_t)buflen; + char* buf = (char*)calloc(s, sizeof(char)); if (!buf) goto fail; From 74b596758ccd38a8836dbc465cb5a8abf0038038 Mon Sep 17 00:00:00 2001 From: Armin Novak Date: Wed, 23 Oct 2024 10:49:54 +0200 Subject: [PATCH 2/6] [crypto,tls] add check for overflow --- libfreerdp/crypto/tls.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libfreerdp/crypto/tls.c b/libfreerdp/crypto/tls.c index dbd60ee56..c9687feb4 100644 --- a/libfreerdp/crypto/tls.c +++ b/libfreerdp/crypto/tls.c @@ -448,7 +448,8 @@ static long bio_rdp_tls_ctrl(BIO* bio, int cmd, long num, void* ptr) if (status <= 0) { - switch (SSL_get_error(tls->ssl, status)) + const int err = (status < INT32_MIN) ? INT32_MIN : (int)status; + switch (SSL_get_error(tls->ssl, err)) { case SSL_ERROR_WANT_READ: BIO_set_flags(bio, BIO_FLAGS_READ | BIO_FLAGS_SHOULD_RETRY); From 9b32cc59b856a34ebcfb2250ad921895edf91d14 Mon Sep 17 00:00:00 2001 From: Armin Novak Date: Wed, 23 Oct 2024 10:52:03 +0200 Subject: [PATCH 3/6] [core,gateway] restore non-local value --- libfreerdp/core/gateway/http.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libfreerdp/core/gateway/http.c b/libfreerdp/core/gateway/http.c index 2d4ce0b79..2688a3cce 100644 --- a/libfreerdp/core/gateway/http.c +++ b/libfreerdp/core/gateway/http.c @@ -1030,10 +1030,10 @@ static BOOL http_response_parse_header(HttpResponse* response) break; } - if (!http_response_parse_header_field(response, name, value)) - goto fail; - + const int rc = http_response_parse_header_field(response, name, value); *end_of_header = end_of_header_char; + if (!rc) + goto fail; } rc = TRUE; From 0545a8a5ef0bd2406ab3cd0cea38a2112dd03f8e Mon Sep 17 00:00:00 2001 From: Armin Novak Date: Wed, 23 Oct 2024 11:02:42 +0200 Subject: [PATCH 4/6] [uwac] fix sign warnings --- uwac/libuwac/uwac-priv.h | 2 +- uwac/libuwac/uwac-window.c | 39 +++++++++++++++++++++++++------------- 2 files changed, 27 insertions(+), 14 deletions(-) diff --git a/uwac/libuwac/uwac-priv.h b/uwac/libuwac/uwac-priv.h index 98636e19f..5b922d142 100644 --- a/uwac/libuwac/uwac-priv.h +++ b/uwac/libuwac/uwac-priv.h @@ -270,7 +270,7 @@ struct uwac_window struct uwac_buffer_release_data { UwacWindow* window; - int bufferIdx; + size_t bufferIdx; }; typedef struct uwac_buffer_release_data UwacBufferReleaseData; diff --git a/uwac/libuwac/uwac-window.c b/uwac/libuwac/uwac-window.c index c43953d28..352369d8b 100644 --- a/uwac/libuwac/uwac-window.c +++ b/uwac/libuwac/uwac-window.c @@ -34,7 +34,7 @@ #include -#define UWAC_INITIAL_BUFFERS 3 +#define UWAC_INITIAL_BUFFERS 3ull static int bppFromShmFormat(enum wl_shm_format format) { @@ -78,7 +78,7 @@ static void UwacWindowDestroyBuffers(UwacWindow* w) w->buffers = NULL; } -static int UwacWindowShmAllocBuffers(UwacWindow* w, int64_t nbuffers, int64_t allocSize, +static int UwacWindowShmAllocBuffers(UwacWindow* w, uint64_t nbuffers, uint64_t allocSize, uint32_t width, uint32_t height, enum wl_shm_format format); static void xdg_handle_toplevel_configure(void* data, struct xdg_toplevel* xdg_toplevel, @@ -319,23 +319,27 @@ static void shell_popup_done(void* data, struct wl_shell_surface* surface) static const struct wl_shell_surface_listener shell_listener = { shell_ping, shell_configure, shell_popup_done }; -int UwacWindowShmAllocBuffers(UwacWindow* w, int64_t nbuffers, int64_t allocSize, uint32_t width, +int UwacWindowShmAllocBuffers(UwacWindow* w, uint64_t nbuffers, uint64_t allocSize, uint32_t width, uint32_t height, enum wl_shm_format format) { int ret = UWAC_SUCCESS; int fd = 0; void* data = NULL; struct wl_shm_pool* pool = NULL; - int64_t pagesize = sysconf(_SC_PAGESIZE); + + if ((width > INT32_MAX) || (height > INT32_MAX)) + return UWAC_ERROR_NOMEMORY; + + const int64_t pagesize = sysconf(_SC_PAGESIZE); if (pagesize <= 0) return UWAC_ERROR_NOMEMORY; /* round up to a multiple of PAGESIZE to page align data for each buffer */ - const uint64_t test = (1ull * allocSize + pagesize - 1ull) & ~(pagesize - 1); + const uint64_t test = (1ull * allocSize + (size_t)pagesize - 1ull) & ~((size_t)pagesize - 1); if (test > INT64_MAX) return UWAC_ERROR_NOMEMORY; - allocSize = (int64_t)test; + allocSize = test; UwacBuffer* newBuffers = xrealloc(w->buffers, (0ull + w->nbuffers + nbuffers) * sizeof(UwacBuffer)); @@ -345,14 +349,18 @@ int UwacWindowShmAllocBuffers(UwacWindow* w, int64_t nbuffers, int64_t allocSize w->buffers = newBuffers; memset(w->buffers + w->nbuffers, 0, sizeof(UwacBuffer) * nbuffers); - fd = uwac_create_anonymous_file(1ull * allocSize * nbuffers); + + const size_t allocbuffersize = 1ull * allocSize * nbuffers; + if (allocbuffersize > INT32_MAX) + return UWAC_ERROR_NOMEMORY; + + fd = uwac_create_anonymous_file((off_t)allocbuffersize); if (fd < 0) { return UWAC_ERROR_INTERNAL; } - const size_t allocbuffersize = 1ull * allocSize * nbuffers; data = mmap(NULL, allocbuffersize, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); if (data == MAP_FAILED) @@ -361,7 +369,7 @@ int UwacWindowShmAllocBuffers(UwacWindow* w, int64_t nbuffers, int64_t allocSize goto error_mmap; } - pool = wl_shm_create_pool(w->display->shm, fd, allocbuffersize); + pool = wl_shm_create_pool(w->display->shm, fd, (int32_t)allocbuffersize); if (!pool) { @@ -370,20 +378,25 @@ int UwacWindowShmAllocBuffers(UwacWindow* w, int64_t nbuffers, int64_t allocSize goto error_mmap; } - for (int64_t i = 0; i < nbuffers; i++) + for (uint64_t i = 0; i < nbuffers; i++) { const size_t idx = (size_t)i; - size_t bufferIdx = w->nbuffers + idx; + const size_t bufferIdx = w->nbuffers + idx; UwacBuffer* buffer = &w->buffers[bufferIdx]; + #ifdef UWAC_HAVE_PIXMAN_REGION pixman_region32_init(&buffer->damage); #else region16_init(&buffer->damage); #endif + const size_t offset = allocSize * idx; + if (offset > INT32_MAX) + goto error_mmap; + buffer->data = &((char*)data)[allocSize * idx]; buffer->size = allocSize; - buffer->wayland_buffer = - wl_shm_pool_create_buffer(pool, allocSize * idx, width, height, w->stride, format); + buffer->wayland_buffer = wl_shm_pool_create_buffer(pool, (int32_t)offset, (int32_t)width, + (int32_t)height, w->stride, format); UwacBufferReleaseData* listener_data = xmalloc(sizeof(UwacBufferReleaseData)); listener_data->window = w; listener_data->bufferIdx = bufferIdx; From 0cb84a0d8f7ad8b9389e6a91ffd8f839f87d4d53 Mon Sep 17 00:00:00 2001 From: Armin Novak Date: Wed, 23 Oct 2024 11:33:41 +0200 Subject: [PATCH 5/6] [crypto,cert] fix error handling for bio_read_pem --- libfreerdp/crypto/certificate.c | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/libfreerdp/crypto/certificate.c b/libfreerdp/crypto/certificate.c index 207fe9d1f..886f761b0 100644 --- a/libfreerdp/crypto/certificate.c +++ b/libfreerdp/crypto/certificate.c @@ -1404,6 +1404,11 @@ static BOOL bio_read_pem(BIO* bio, char** ppem, size_t* plength) size_t offset = 0; size_t length = blocksize; char* pem = NULL; + + *ppem = NULL; + if (plength) + *plength = 0; + while (offset < length) { char* tmp = realloc(pem, length + 1); @@ -1434,6 +1439,9 @@ static BOOL bio_read_pem(BIO* bio, char** ppem, size_t* plength) *plength = offset; rc = TRUE; fail: + if (!rc) + free(pem); + return rc; } @@ -1445,20 +1453,16 @@ char* freerdp_certificate_get_pem(const rdpCertificate* cert, size_t* pLength) char* freerdp_certificate_get_pem_ex(const rdpCertificate* cert, size_t* pLength, BOOL withCertChain) { - char* pem = NULL; WINPR_ASSERT(cert); if (!cert->x509) return NULL; - BIO* bio = NULL; - int status = 0; - /** * Don't manage certificates internally, leave it up entirely to the external client * implementation */ - bio = BIO_new(BIO_s_mem()); + BIO* bio = BIO_new(BIO_s_mem()); if (!bio) { @@ -1466,8 +1470,9 @@ char* freerdp_certificate_get_pem_ex(const rdpCertificate* cert, size_t* pLength return NULL; } - status = PEM_write_bio_X509(bio, cert->x509); + char* pem = NULL; + const int status = PEM_write_bio_X509(bio, cert->x509); if (status < 0) { WLog_ERR(TAG, "PEM_write_bio_X509 failure: %d", status); @@ -1476,21 +1481,21 @@ char* freerdp_certificate_get_pem_ex(const rdpCertificate* cert, size_t* pLength if (cert->chain && withCertChain) { - int count = sk_X509_num(cert->chain); + const int count = sk_X509_num(cert->chain); for (int x = 0; x < count; x++) { X509* c = sk_X509_value(cert->chain, x); - status = PEM_write_bio_X509(bio, c); - if (status < 0) + const int rc = PEM_write_bio_X509(bio, c); + if (rc < 0) { - WLog_ERR(TAG, "PEM_write_bio_X509 failure: %d", status); + WLog_ERR(TAG, "PEM_write_bio_X509 failure: %d", rc); goto fail; } } } - if (!bio_read_pem(bio, &pem, pLength)) - goto fail; + (void)bio_read_pem(bio, &pem, pLength); + fail: BIO_free_all(bio); return pem; From d3f8cd3073cda68e8c328f2324201416d3bb42b6 Mon Sep 17 00:00:00 2001 From: Armin Novak Date: Wed, 23 Oct 2024 11:39:19 +0200 Subject: [PATCH 6/6] [client,common] fix data race --- client/common/client_cliprdr_file.c | 30 +++++++++++------------------ 1 file changed, 11 insertions(+), 19 deletions(-) diff --git a/client/common/client_cliprdr_file.c b/client/common/client_cliprdr_file.c index 09d304bf2..dff6deb19 100644 --- a/client/common/client_cliprdr_file.c +++ b/client/common/client_cliprdr_file.c @@ -1975,6 +1975,7 @@ BOOL cliprdr_file_context_update_server_data(CliprdrFileContext* file_context, w CliprdrFuseClipDataEntry* clip_data_entry = NULL; FILEDESCRIPTORW* files = NULL; UINT32 n_files = 0; + BOOL rc = FALSE; WINPR_ASSERT(file_context); WINPR_ASSERT(clip); @@ -1986,6 +1987,7 @@ BOOL cliprdr_file_context_update_server_data(CliprdrFileContext* file_context, w } HashTable_Lock(file_context->inode_table); + HashTable_Lock(file_context->clip_data_table); if (does_server_support_clipdata_locking(file_context)) clip_data_entry = HashTable_GetItemValue( file_context->clip_data_table, (void*)(uintptr_t)file_context->current_clip_data_id); @@ -2001,29 +2003,19 @@ BOOL cliprdr_file_context_update_server_data(CliprdrFileContext* file_context, w clip_data_dir_new(file_context, does_server_support_clipdata_locking(file_context), file_context->current_clip_data_id); if (!clip_data_entry->clip_data_dir) - { - HashTable_Unlock(file_context->inode_table); - free(files); - return FALSE; - } - + goto fail; if (!update_exposed_path(file_context, clip, clip_data_entry)) - { - HashTable_Unlock(file_context->inode_table); - free(files); - return FALSE; - } - + goto fail; if (!set_selection_for_clip_data_entry(file_context, clip_data_entry, files, n_files)) - { - HashTable_Unlock(file_context->inode_table); - free(files); - return FALSE; - } - HashTable_Unlock(file_context->inode_table); + goto fail; + rc = TRUE; + +fail: + HashTable_Unlock(file_context->clip_data_table); + HashTable_Unlock(file_context->inode_table); free(files); - return TRUE; + return rc; #else return FALSE; #endif