freerdp3: patch CVE-2024-32039 and CVE-2024-32041

Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32039 https://nvd.nist.gov/vuln/detail/CVE-2024-32041 Pick the patch that is marked as fixing the related github advisory. The same commit fixes both vulnerabilities. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
2026-06-14 05:49:57 +00:00 · 2025-10-11 20:13:30 +02:00
parent 0e314d0f4c
commit ca2667f23a
2 changed files with 71 additions and 1 deletions
@@ -0,0 +1,68 @@
+From bcaac313a07865cf05176c9d07ec1ca0670b2b61 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Tue, 16 Apr 2024 08:35:05 +0200
+Subject: [PATCH] fix integer overflow
+
+reorder check to prevent possible integer overflow
+
+CVE: CVE-2024-32039 CVE-2024-32041
+Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/1208f23bc967be01cae42ca448a36f4f3d0cb7d8]
+
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ libfreerdp/codec/clear.c |  2 +-
+ libfreerdp/codec/zgfx.c  | 14 +++++++++-----
+ 2 files changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/libfreerdp/codec/clear.c b/libfreerdp/codec/clear.c
+index 5c009d8e9..512aeae20 100644
+--- a/libfreerdp/codec/clear.c
+++ b/libfreerdp/codec/clear.c
+@@ -409,7 +409,7 @@ static BOOL clear_decompress_residual_data(CLEAR_CONTEXT* clear, wStream* s,
+ 			}
+ 		}
+ 
+-		if ((pixelIndex + runLengthFactor) > pixelCount)
+		if ((pixelIndex >= pixelCount) || (runLengthFactor > (pixelCount - pixelIndex)))
+ 		{
+ 			WLog_ERR(TAG,
+ 			         "pixelIndex %" PRIu32 " + runLengthFactor %" PRIu32 " > pixelCount %" PRIu32
+diff --git a/libfreerdp/codec/zgfx.c b/libfreerdp/codec/zgfx.c
+index 881823ab3..b7ee27511 100644
+--- a/libfreerdp/codec/zgfx.c
+++ b/libfreerdp/codec/zgfx.c
+@@ -227,7 +227,10 @@ static BOOL zgfx_decompress_segment(ZGFX_CONTEXT* zgfx, wStream* stream, size_t
+ 	BYTE* pbSegment = NULL;
+ 	size_t cbSegment = 0;
+ 
+-	if (!zgfx || !stream || (segmentSize < 2))
+	WINPR_ASSERT(zgfx);
+	WINPR_ASSERT(stream);
+
+	if (segmentSize < 2)
+ 		return FALSE;
+ 
+ 	cbSegment = segmentSize - 1;
+@@ -346,8 +349,9 @@ static BOOL zgfx_decompress_segment(ZGFX_CONTEXT* zgfx, wStream* stream, size_t
+ 
+ 						if (count > sizeof(zgfx->OutputBuffer) - zgfx->OutputCount)
+ 							return FALSE;
+-
+-						if (count > zgfx->cBitsRemaining / 8)
+						else if (count > zgfx->cBitsRemaining / 8)
+							return FALSE;
+						else if (zgfx->pbInputCurrent + count > zgfx->pbInputEnd)
+ 							return FALSE;
+ 
+ 						CopyMemory(&(zgfx->OutputBuffer[zgfx->OutputCount]), zgfx->pbInputCurrent,
+@@ -386,8 +390,8 @@ int zgfx_decompress(ZGFX_CONTEXT* zgfx, const BYTE* pSrcData, UINT32 SrcSize, BY
+ 	wStream sbuffer = { 0 };
+ 	wStream* stream = Stream_StaticConstInit(&sbuffer, pSrcData, SrcSize);
+ 
+-	if (!stream)
+-		return -1;
+	WINPR_ASSERT(zgfx);
+	WINPR_ASSERT(stream);
+ 
+ 	if (!Stream_CheckAndLogRequiredLength(TAG, stream, 1))
+ 		goto fail;
@@ -8,7 +8,9 @@ DEPENDS = "openssl libusb1 uriparser cairo icu pkcs11-helper zlib jpeg"
 inherit pkgconfig cmake

 SRCREV = "708f3764897e06297469a7b0507b3c9ecc041ad7"
-SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=master;protocol=https"
+SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=master;protocol=https \
+           file://CVE-2024-32039.patch \
+           "

 S = "${WORKDIR}/git"