From 90d8192387bdbd88a8b7654a08d8bdbdb02fba25 Mon Sep 17 00:00:00 2001
From: liyuxiang <liyuxiang@ncti-gba.cn>
Date: Sat, 19 Nov 2022 17:40:07 +0800
Subject: [PATCH] CVE-2022-39317_CVE-2022-39320

---
 ...tch => CVE-2022-39316_CVE-2022-39317.patch |  0
 CVE-2022-39320.patch                          | 29 +++++++++++++++++++
 freerdp.spec                                  |  9 ++++--
 3 files changed, 36 insertions(+), 2 deletions(-)
 rename CVE-2022-39316.patch => CVE-2022-39316_CVE-2022-39317.patch (100%)
 create mode 100644 CVE-2022-39320.patch

diff --git a/CVE-2022-39316.patch b/CVE-2022-39316_CVE-2022-39317.patch
similarity index 100%
rename from CVE-2022-39316.patch
rename to CVE-2022-39316_CVE-2022-39317.patch
diff --git a/CVE-2022-39320.patch b/CVE-2022-39320.patch
new file mode 100644
index 0000000..ec977dc
--- /dev/null
+++ b/CVE-2022-39320.patch
@@ -0,0 +1,29 @@
+From 68c6a8c1878b5294aecb04d5e27531a720b3793f Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Thu, 13 Oct 2022 08:36:26 +0200
+Subject: [PATCH] Ensure urb_create_iocompletion uses size_t for calculation
+
+(cherry picked from commit de7e0f062ee53d00b4a966a43855a716e3478150)
+---
+ channels/urbdrc/client/data_transfer.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/channels/urbdrc/client/data_transfer.c b/channels/urbdrc/client/data_transfer.c
+index 69879612692..d8725c02cf3 100644
+--- a/channels/urbdrc/client/data_transfer.c
++++ b/channels/urbdrc/client/data_transfer.c
+@@ -97,7 +97,13 @@ static wStream* urb_create_iocompletion(UINT32 InterfaceField, UINT32 MessageId,
+                                         UINT32 OutputBufferSize)
+ {
+ 	const UINT32 InterfaceId = (STREAM_ID_PROXY << 30) | (InterfaceField & 0x3FFFFFFF);
+-	wStream* out = Stream_New(NULL, OutputBufferSize + 28);
++
++#if UINT32_MAX >= SIZE_MAX
++	if (OutputBufferSize > UINT32_MAX - 28ull)
++		return NULL;
++#endif
++
++	wStream* out = Stream_New(NULL, OutputBufferSize + 28ull);
+ 
+ 	if (!out)
+ 		return NULL;
diff --git a/freerdp.spec b/freerdp.spec
index 24939e9..ea58033 100644
--- a/freerdp.spec
+++ b/freerdp.spec
@@ -1,6 +1,6 @@
 Name:           freerdp
 Version:        2.8.1
-Release:        2
+Release:        3
 Epoch:          2
 Summary:        A Remote Desktop Protocol Implementation
 License:        Apache-2.0
@@ -11,8 +11,9 @@ Patch0001:	Fix-freerdp-shadow-cli-exit-codes-for-help-and-version.patch
 Patch0002:      CVE-2022-39319.patch
 Patch0003:      CVE-2022-41877.patch
 Patch0004:      CVE-2022-39347.patch
-Patch0005:      CVE-2022-39316.patch
+Patch0005:      CVE-2022-39316_CVE-2022-39317.patch
 Patch0006:      CVE-2022-39318.patch
+Patch0007:      CVE-2022-39320.patch
 
 BuildRequires:  gcc gcc-c++ alsa-lib-devel cmake >= 2.8 cups-devel gsm-devel libXrandr-devel libXv-devel
 BuildRequires:  libjpeg-turbo-devel libjpeg-turbo-devel libX11-devel libXcursor-devel libxkbfile-devel
@@ -142,6 +143,10 @@ echo "%{_libdir}/freerdp2" > %{buildroot}%{_sysconfdir}/ld.so.conf.d/%{name}-%{_
 %{_mandir}/*/*
 
 %changelog
+* Fri Nov 25 2022 liyuxiang <liyuxiang@ncti-gba.cn> - 2:2.8.1-3
+- Fix CVE-2022-39320
+- Fix CVE-2022-39317
+
 * Tue Nov 22 2022 liyuxiang <liyuxiang@ncti-gba.cn> - 2:2.8.1-2
 - Fix CVE-2022-39316
 - Fix CVE-2022-39318