freerdp/CVE-2018-8787.patch

--- a/libfreerdp/gdi/graphics.c	2018-08-01 21:27:31.000000000 +0800
+++ b/libfreerdp/gdi/graphics.c	2019-04-04 18:48:18.411000000 +0800
@@ -141,11 +141,19 @@ static BOOL gdi_Bitmap_Decompress(rdpCon
 	UINT32 SrcSize = length;
 	UINT32 SrcFormat;
 	rdpGdi* gdi = context->gdi;
+	UINT32 size = DstWidth * DstHeight;
 	bitmap->compressed = FALSE;
 	bitmap->format = gdi->dstFormat;
-	bitmap->length = DstWidth * DstHeight * GetBytesPerPixel(bitmap->format);
 	bitmap->data = (BYTE*) _aligned_malloc(bitmap->length, 16);
 
+	if ((GetBytesPerPixel(bitmap->format) == 0) ||
+	    (DstWidth == 0) || (DstHeight == 0) || (DstWidth > UINT32_MAX / DstHeight) ||
+	    (size > (UINT32_MAX / GetBytesPerPixel(bitmap->format))))
+		return FALSE;
+
+	size *= GetBytesPerPixel(bitmap->format);
+	bitmap->length = size;
+
 	if (!bitmap->data)
 		return FALSE;
conernetworking-plugins : modified spec add patch file 2019-12-03 14:35:04 +08:00			`--- a/libfreerdp/gdi/graphics.c 2018-08-01 21:27:31.000000000 +0800`
			`+++ b/libfreerdp/gdi/graphics.c 2019-04-04 18:48:18.411000000 +0800`
			`@@ -141,11 +141,19 @@ static BOOL gdi_Bitmap_Decompress(rdpCon`
			`UINT32 SrcSize = length;`
			`UINT32 SrcFormat;`
			`rdpGdi* gdi = context->gdi;`
			`+ UINT32 size = DstWidth * DstHeight;`
			`bitmap->compressed = FALSE;`
			`bitmap->format = gdi->dstFormat;`
			`- bitmap->length = DstWidth * DstHeight * GetBytesPerPixel(bitmap->format);`
			`bitmap->data = (BYTE*) _aligned_malloc(bitmap->length, 16);`

			`+ if ((GetBytesPerPixel(bitmap->format) == 0) \|\|`
			`+ (DstWidth == 0) \|\| (DstHeight == 0) \|\| (DstWidth > UINT32_MAX / DstHeight) \|\|`
			`+ (size > (UINT32_MAX / GetBytesPerPixel(bitmap->format))))`
			`+ return FALSE;`
			`+`
			`+ size *= GetBytesPerPixel(bitmap->format);`
			`+ bitmap->length = size;`
			`+`
			`if (!bitmap->data)`
			`return FALSE;`