From ca2667f23ac1472996e029fcdd1c53986c1e4de4 Mon Sep 17 00:00:00 2001 From: Gyorgy Sarvari Date: Sat, 11 Oct 2025 20:13:30 +0200 Subject: [PATCH] freerdp3: patch CVE-2024-32039 and CVE-2024-32041 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32039 https://nvd.nist.gov/vuln/detail/CVE-2024-32041 Pick the patch that is marked as fixing the related github advisory. The same commit fixes both vulnerabilities. Signed-off-by: Gyorgy Sarvari Signed-off-by: Anuj Mittal --- .../freerdp/freerdp3/CVE-2024-32039.patch | 68 +++++++++++++++++++ .../recipes-support/freerdp/freerdp3_3.4.0.bb | 4 +- 2 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-support/freerdp/freerdp3/CVE-2024-32039.patch diff --git a/meta-oe/recipes-support/freerdp/freerdp3/CVE-2024-32039.patch b/meta-oe/recipes-support/freerdp/freerdp3/CVE-2024-32039.patch new file mode 100644 index 0000000000..f553228350 --- /dev/null +++ b/meta-oe/recipes-support/freerdp/freerdp3/CVE-2024-32039.patch @@ -0,0 +1,68 @@ +From bcaac313a07865cf05176c9d07ec1ca0670b2b61 Mon Sep 17 00:00:00 2001 +From: akallabeth +Date: Tue, 16 Apr 2024 08:35:05 +0200 +Subject: [PATCH] fix integer overflow + +reorder check to prevent possible integer overflow + +CVE: CVE-2024-32039 CVE-2024-32041 +Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/1208f23bc967be01cae42ca448a36f4f3d0cb7d8] + +Signed-off-by: Gyorgy Sarvari +--- + libfreerdp/codec/clear.c | 2 +- + libfreerdp/codec/zgfx.c | 14 +++++++++----- + 2 files changed, 10 insertions(+), 6 deletions(-) + +diff --git a/libfreerdp/codec/clear.c b/libfreerdp/codec/clear.c +index 5c009d8e9..512aeae20 100644 +--- a/libfreerdp/codec/clear.c ++++ b/libfreerdp/codec/clear.c +@@ -409,7 +409,7 @@ static BOOL clear_decompress_residual_data(CLEAR_CONTEXT* clear, wStream* s, + } + } + +- if ((pixelIndex + runLengthFactor) > pixelCount) ++ if ((pixelIndex >= pixelCount) || (runLengthFactor > (pixelCount - pixelIndex))) + { + WLog_ERR(TAG, + "pixelIndex %" PRIu32 " + runLengthFactor %" PRIu32 " > pixelCount %" PRIu32 +diff --git a/libfreerdp/codec/zgfx.c b/libfreerdp/codec/zgfx.c +index 881823ab3..b7ee27511 100644 +--- a/libfreerdp/codec/zgfx.c ++++ b/libfreerdp/codec/zgfx.c +@@ -227,7 +227,10 @@ static BOOL zgfx_decompress_segment(ZGFX_CONTEXT* zgfx, wStream* stream, size_t + BYTE* pbSegment = NULL; + size_t cbSegment = 0; + +- if (!zgfx || !stream || (segmentSize < 2)) ++ WINPR_ASSERT(zgfx); ++ WINPR_ASSERT(stream); ++ ++ if (segmentSize < 2) + return FALSE; + + cbSegment = segmentSize - 1; +@@ -346,8 +349,9 @@ static BOOL zgfx_decompress_segment(ZGFX_CONTEXT* zgfx, wStream* stream, size_t + + if (count > sizeof(zgfx->OutputBuffer) - zgfx->OutputCount) + return FALSE; +- +- if (count > zgfx->cBitsRemaining / 8) ++ else if (count > zgfx->cBitsRemaining / 8) ++ return FALSE; ++ else if (zgfx->pbInputCurrent + count > zgfx->pbInputEnd) + return FALSE; + + CopyMemory(&(zgfx->OutputBuffer[zgfx->OutputCount]), zgfx->pbInputCurrent, +@@ -386,8 +390,8 @@ int zgfx_decompress(ZGFX_CONTEXT* zgfx, const BYTE* pSrcData, UINT32 SrcSize, BY + wStream sbuffer = { 0 }; + wStream* stream = Stream_StaticConstInit(&sbuffer, pSrcData, SrcSize); + +- if (!stream) +- return -1; ++ WINPR_ASSERT(zgfx); ++ WINPR_ASSERT(stream); + + if (!Stream_CheckAndLogRequiredLength(TAG, stream, 1)) + goto fail; diff --git a/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb b/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb index f29b9afbee..b07d7d139b 100644 --- a/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb +++ b/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb @@ -8,7 +8,9 @@ DEPENDS = "openssl libusb1 uriparser cairo icu pkcs11-helper zlib jpeg" inherit pkgconfig cmake SRCREV = "708f3764897e06297469a7b0507b3c9ecc041ad7" -SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=master;protocol=https" +SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=master;protocol=https \ + file://CVE-2024-32039.patch \ + " S = "${WORKDIR}/git"