Merge pull request FreeRDP#6295 from akallabeth/security-3-attributed

Fixes
omozousha · Jun 22, 2020 · 2eedede · 2eedede
2 parents 152bf0c + 5dc50f6
commit 2eedede
Show file tree

Hide file tree

Showing 23 changed files with 425 additions and 145 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,26 @@
+# 2020-06-22  Version 2.1.2
+
+Important notes:
+* CVE-2020-4033 Out of bound read in RLEDECOMPRESS
+* CVE-2020-4031 Use-After-Free in gdi_SelectObject
+* CVE-2020-4032 Integer casting vulnerability in `update_recv_secondary_order`
+* CVE-2020-4030 OOB read in `TrioParse`
+* CVE-2020-11099 OOB Read in license_read_new_or_upgrade_license_packet
+* CVE-2020-11098 Out-of-bound read in glyph_cache_put
+* CVE-2020-11097 OOB read in ntlm_av_pair_get
+* CVE-2020-11095 Global OOB read in update_recv_primary_order
+* CVE-2020-11096 Global OOB read in update_read_cache_bitmap_v3_order
+* Gateway RPC fixes for windows
+* Fixed resource fee race resulting in double free in USB redirection
+* Fixed wayland client crashes
+* Fixed X11 client mouse mapping issues (X11 mapping on/off)
+* Some proxy related improvements (capture module)
+* Code cleanup (use getlogin_r, ...)
+
+For a complete and detailed change log since the last release candidate run:
+git log 2.1.1..2.1.2
+
+
 # 2020-05-20  Version 2.1.1
 
 Important notes:

diff --git a/channels/drdynvc/client/drdynvc_main.c b/channels/drdynvc/client/drdynvc_main.c
@@ -580,10 +580,15 @@ static UINT dvcman_open_channel(drdynvcPlugin* drdynvc, IWTSVirtualChannelManage
 	{
 		pCallback = channel->channel_callback;
 
-		if ((pCallback->OnOpen) && (error = pCallback->OnOpen(pCallback)))
+		if (pCallback->OnOpen)
 		{
-			WLog_Print(drdynvc->log, WLOG_ERROR, "OnOpen failed with error %" PRIu32 "!", error);
-			return error;
+			error = pCallback->OnOpen(pCallback);
+			if (error)
+			{
+				WLog_Print(drdynvc->log, WLOG_ERROR, "OnOpen failed with error %" PRIu32 "!",
+				           error);
+				return error;
+			}
 		}
 
 		WLog_Print(drdynvc->log, WLOG_DEBUG, "open_channel: ChannelId %" PRIu32 "", ChannelId);

diff --git a/channels/printer/client/cups/printer_cups.c b/channels/printer/client/cups/printer_cups.c
@@ -69,10 +69,11 @@ struct rdp_cups_print_job
 static void printer_cups_get_printjob_name(char* buf, size_t size, size_t id)
 {
 	time_t tt;
+	struct tm tres;
 	struct tm* t;
 
 	tt = time(NULL);
-	t = localtime(&tt);
+	t = localtime_r(&tt, &tres);
 	sprintf_s(buf, size - 1, "FreeRDP Print %04d-%02d-%02d %02d-%02d-%02d - Job %" PRIdz,
 	          t->tm_year + 1900, t->tm_mon + 1, t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec, id);
 }

diff --git a/channels/printer/client/win/printer_win.c b/channels/printer/client/win/printer_win.c
@@ -78,13 +78,14 @@ struct rdp_win_print_job
 static WCHAR* printer_win_get_printjob_name(size_t id)
 {
 	time_t tt;
+	struct tm tres;
 	struct tm* t;
 	WCHAR* str;
 	size_t len = 1024;
 	int rc;
 
 	tt = time(NULL);
-	t = localtime(&tt);
+	t = localtime_s(&tt, &tres);
 
 	str = calloc(len, sizeof(WCHAR));
 	if (!str)

diff --git a/channels/rdpdr/client/rdpdr_main.c b/channels/rdpdr/client/rdpdr_main.c
@@ -598,7 +598,14 @@ static BOOL isAutomountLocation(const char* path)
 	size_t x;
 	char buffer[MAX_PATH];
 	uid_t uid = getuid();
-	const char* uname = getlogin();
+	char uname[MAX_PATH] = { 0 };
+
+#ifndef getlogin_r
+	strncpy(uname, getlogin(), sizeof(uname));
+#else
+	if (getlogin_r(uname, sizeof(uname)) != 0)
+		return FALSE;
+#endif
 
 	if (!path)
 		return FALSE;

diff --git a/client/X11/xf_client.c b/client/X11/xf_client.c
@@ -1181,9 +1181,9 @@ static BOOL xf_pre_connect(freerdp* instance)
 
 	if (!settings->Username && !settings->CredentialsFromStdin && !settings->SmartcardLogon)
 	{
-		char* login_name = getlogin();
+		char login_name[MAX_PATH] = { 0 };
 
-		if (login_name)
+		if (getlogin_r(login_name, sizeof(login_name)) == 0)
 		{
 			settings->Username = _strdup(login_name);
 

diff --git a/libfreerdp/cache/glyph.c b/libfreerdp/cache/glyph.c
@@ -579,7 +579,7 @@ BOOL glyph_cache_put(rdpGlyphCache* glyphCache, UINT32 id, UINT32 index, rdpGlyp
 		return FALSE;
 	}
 
-	if (index > glyphCache->glyphCache[id].number)
+	if (index >= glyphCache->glyphCache[id].number)
 	{
 		WLog_ERR(TAG, "invalid glyph cache index: %" PRIu32 " in cache id: %" PRIu32 "", index, id);
 		return FALSE;

diff --git a/libfreerdp/codec/include/bitmap.c b/libfreerdp/codec/include/bitmap.c
@@ -201,6 +201,8 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY
 
 				if (code == LITE_SET_FG_FG_RUN || code == MEGA_MEGA_SET_FG_RUN)
 				{
+					if (pbSrc >= pbEnd)
+						return FALSE;
 					SRCREADPIXEL(fgPel, pbSrc);
 					SRCNEXTPIXEL(pbSrc);
 				}
@@ -231,8 +233,12 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY
 			case MEGA_MEGA_DITHERED_RUN:
 				runLength = ExtractRunLength(code, pbSrc, &advance);
 				pbSrc = pbSrc + advance;
+				if (pbSrc >= pbEnd)
+					return FALSE;
 				SRCREADPIXEL(pixelA, pbSrc);
 				SRCNEXTPIXEL(pbSrc);
+				if (pbSrc >= pbEnd)
+					return FALSE;
 				SRCREADPIXEL(pixelB, pbSrc);
 				SRCNEXTPIXEL(pbSrc);
 
@@ -252,6 +258,8 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY
 			case MEGA_MEGA_COLOR_RUN:
 				runLength = ExtractRunLength(code, pbSrc, &advance);
 				pbSrc = pbSrc + advance;
+				if (pbSrc >= pbEnd)
+					return FALSE;
 				SRCREADPIXEL(pixelA, pbSrc);
 				SRCNEXTPIXEL(pbSrc);
 
@@ -272,6 +280,8 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY
 				runLength = ExtractRunLength(code, pbSrc, &advance);
 				pbSrc = pbSrc + advance;
 
+				if (pbSrc >= pbEnd)
+					return FALSE;
 				if (code == LITE_SET_FG_FGBG_IMAGE || code == MEGA_MEGA_SET_FGBG_IMAGE)
 				{
 					SRCREADPIXEL(fgPel, pbSrc);
@@ -338,6 +348,8 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, BY
 					return FALSE;
 
 				UNROLL(runLength, {
+					if (pbSrc >= pbEnd)
+						return FALSE;
 					SRCREADPIXEL(temp, pbSrc);
 					SRCNEXTPIXEL(pbSrc);
 					DESTWRITEPIXEL(pbDest, temp);

diff --git a/libfreerdp/core/license.c b/libfreerdp/core/license.c
@@ -1252,6 +1252,9 @@ BOOL license_read_new_or_upgrade_license_packet(rdpLicense* license, wStream* s)
 	if (!licenseStream)
 		goto out_free_blob;
 
+	if (Stream_GetRemainingLength(licenseStream) < 8)
+		goto out_free_stream;
+
 	Stream_Read_UINT16(licenseStream, os_minor);
 	Stream_Read_UINT16(licenseStream, os_major);
 
@@ -1266,6 +1269,8 @@ BOOL license_read_new_or_upgrade_license_packet(rdpLicense* license, wStream* s)
 	Stream_Seek(licenseStream, cbScope);
 
 	/* CompanyName */
+	if (Stream_GetRemainingLength(licenseStream) < 4)
+		goto out_free_stream;
 	Stream_Read_UINT32(licenseStream, cbCompanyName);
 	if (Stream_GetRemainingLength(licenseStream) < cbCompanyName)
 		goto out_free_stream;
@@ -1276,6 +1281,8 @@ BOOL license_read_new_or_upgrade_license_packet(rdpLicense* license, wStream* s)
 	Stream_Seek(licenseStream, cbCompanyName);
 
 	/* productId */
+	if (Stream_GetRemainingLength(licenseStream) < 4)
+		goto out_free_stream;
 	Stream_Read_UINT32(licenseStream, cbProductId);
 	if (Stream_GetRemainingLength(licenseStream) < cbProductId)
 		goto out_free_stream;
@@ -1286,6 +1293,8 @@ BOOL license_read_new_or_upgrade_license_packet(rdpLicense* license, wStream* s)
 	Stream_Seek(licenseStream, cbProductId);
 
 	/* licenseInfo */
+	if (Stream_GetRemainingLength(licenseStream) < 4)
+		goto out_free_stream;
 	Stream_Read_UINT32(licenseStream, cbLicenseInfo);
 	if (Stream_GetRemainingLength(licenseStream) < cbLicenseInfo)
 		goto out_free_stream;