mirrors/FreeRDP
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixed OOB Read in license_read_new_or_upgrade_license_packet

Browse Source 
CVE-2020-11099 thanks to @antonio-morales for finding this.

(cherry picked from commit 6ade7b4cbf)
This commit is contained in:
akallabeth 2020-05-25 09:37:48 +02:00 committed by Armin Novak
parent c3c02c83ab
commit d5609e5467
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
libfreerdp/core/license.c
View File

@ -1252,6 +1252,9 @@ BOOL license_read_new_or_upgrade_license_packet(rdpLicense* license, wStream* s)
if (!licenseStream)
goto out_free_blob;
if (Stream_GetRemainingLength(licenseStream) < 8)
goto out_free_stream;
Stream_Read_UINT16(licenseStream, os_minor);
Stream_Read_UINT16(licenseStream, os_major);
@ -1266,6 +1269,8 @@ BOOL license_read_new_or_upgrade_license_packet(rdpLicense* license, wStream* s)
Stream_Seek(licenseStream, cbScope);
/* CompanyName */
if (Stream_GetRemainingLength(licenseStream) < 4)
goto out_free_stream;
Stream_Read_UINT32(licenseStream, cbCompanyName);
if (Stream_GetRemainingLength(licenseStream) < cbCompanyName)
goto out_free_stream;
@ -1276,6 +1281,8 @@ BOOL license_read_new_or_upgrade_license_packet(rdpLicense* license, wStream* s)
Stream_Seek(licenseStream, cbCompanyName);
/* productId */
if (Stream_GetRemainingLength(licenseStream) < 4)
goto out_free_stream;
Stream_Read_UINT32(licenseStream, cbProductId);
if (Stream_GetRemainingLength(licenseStream) < cbProductId)
goto out_free_stream;
@ -1286,6 +1293,8 @@ BOOL license_read_new_or_upgrade_license_packet(rdpLicense* license, wStream* s)
Stream_Seek(licenseStream, cbProductId);
/* licenseInfo */
if (Stream_GetRemainingLength(licenseStream) < 4)
goto out_free_stream;
Stream_Read_UINT32(licenseStream, cbLicenseInfo);
if (Stream_GetRemainingLength(licenseStream) < cbLicenseInfo)
goto out_free_stream;