Fix CVE-2020-11523: clamp invalid rectangles to size 0

Thanks to Sunglin and HuanGMz from Knownsec 404
This commit is contained in:
akallabeth 2020-03-30 17:32:04 +02:00 committed by akallabeth
parent 192856cb59
commit ce21b9d7ec

View File

@ -37,6 +37,17 @@
#define TAG FREERDP_TAG("gdi.region")
static char* gdi_rect_str(char* buffer, size_t size, const HGDI_RECT rect)
{
_snprintf(buffer, size - 1,
"[top/left=%" PRId32 "x%" PRId32 "-bottom/right%" PRId32 "x%" PRId32 "]", rect->top,
rect->left, rect->bottom, rect->right);
if (size > 1)
buffer[size - 1] = '\0'
return buffer;
}
/**
* Create a region from rectangular coordinates.\n
* @msdn{dd183514}
@ -129,10 +140,29 @@ INLINE void gdi_CRectToRgn(INT32 left, INT32 top, INT32 right, INT32 bottom, HGD
INLINE void gdi_RectToCRgn(const HGDI_RECT rect, INT32* x, INT32* y, INT32* w, INT32* h)
{
INT64 tmp;
*x = rect->left;
*y = rect->top;
*w = rect->right - rect->left + 1;
*h = rect->bottom - rect->top + 1;
tmp = rect->right - rect->left + 1;
if ((tmp < 0) || (tmp > INT32_MAX))
{
char buffer[256];
WLog_ERR(TAG, "[%s] rectangle invalid %s", __FUNCTION__,
gdi_rect_str(buffer, sizeof(buffer), rect));
*w = 0;
}
else
*w = tmp;
tmp = rect->bottom - rect->top + 1;
if ((tmp < 0) || (tmp > INT32_MAX))
{
char buffer[256];
WLog_ERR(TAG, "[%s] rectangle invalid %s", __FUNCTION__,
gdi_rect_str(buffer, sizeof(buffer), rect));
*h = 0;
}
else
*h = tmp;
}
/**