3 files changed, 96 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/freerdp/freerdp/CVE-2022-39316.patch b/meta-oe/recipes-support/freerdp/freerdp/CVE-2022-39316.patch
new file mode 100644
index 0000000000..a60b2854c8
--- /dev/null
+++ b/meta-oe/recipes-support/freerdp/freerdp/CVE-2022-39316.patch
@@ -0,0 +1,53 @@
+https://github.com/FreeRDP/FreeRDP/commit/e865c24efc40ebc52e75979c94cdd4ee2c1495b0
+CVE: CVE-2022-39316
+Upstream-Status: Backport
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+From e865c24efc40ebc52e75979c94cdd4ee2c1495b0 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Thu, 13 Oct 2022 09:09:28 +0200
+Subject: [PATCH] Added missing length checks in zgfx_decompress_segment
+(cherry picked from commit 64716b335858109d14f27b51acc4c4d71a92a816)
+---
+ libfreerdp/codec/zgfx.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+diff --git a/libfreerdp/codec/zgfx.c b/libfreerdp/codec/zgfx.c
+index 20fbd354571..e260aa6e28a 100644
+--- a/libfreerdp/codec/zgfx.c
+++ b/libfreerdp/codec/zgfx.c
+@@ -230,19 +230,19 @@ static BOOL zgfx_decompress_segment(ZGFX_CONTEXT* zgfx, wStream* stream, size_t
+        BYTE* pbSegment;
+        size_t cbSegment;
+ 
+-       if (!zgfx || !stream)
+       if (!zgfx || !stream || (segmentSize < 2))
+                return FALSE;
+ 
+        cbSegment = segmentSize - 1;
+ 
+-       if ((Stream_GetRemainingLength(stream) < segmentSize) || (segmentSize < 1) ||
+-           (segmentSize > UINT32_MAX))
+       if ((Stream_GetRemainingLength(stream) < segmentSize) || (segmentSize > UINT32_MAX))
+                return FALSE;
+ 
+        Stream_Read_UINT8(stream, flags); /* header (1 byte) */
+        zgfx->OutputCount = 0;
+        pbSegment = Stream_Pointer(stream);
+-       Stream_Seek(stream, cbSegment);
+       if (!Stream_SafeSeek(stream, cbSegment))
+               return FALSE;
+ 
+        if (!(flags & PACKET_COMPRESSED))
+        {
+@@ -346,6 +346,9 @@ static BOOL zgfx_decompress_segment(ZGFX_CONTEXT* zgfx, wStream* stream, size_t
+                                                if (count > sizeof(zgfx->OutputBuffer) - zgfx->OutputCount)
+                                                        return FALSE;
+ 
+                                               if (count > zgfx->cBitsRemaining / 8)
+                                                       return FALSE;
+
+                                                CopyMemory(&(zgfx->OutputBuffer[zgfx->OutputCount]), zgfx->pbInputCurrent,
+                                                           count);
+                                                zgfx_history_buffer_ring_write(zgfx, zgfx->pbInputCurrent, count);
diff --git a/meta-oe/recipes-support/freerdp/freerdp/CVE-2022-39318-39319.patch b/meta-oe/recipes-support/freerdp/freerdp/CVE-2022-39318-39319.patch
new file mode 100644
index 0000000000..76a9e00dd3
--- /dev/null
+++ b/meta-oe/recipes-support/freerdp/freerdp/CVE-2022-39318-39319.patch
@@ -0,0 +1,41 @@
+https://github.com/FreeRDP/FreeRDP/commit/80adde17ddc4b596ed1dae0922a0c54ab3d4b8ea
+CVE: CVE-2022-39318 CVE-2022-39319
+Upstream-Status: Backport
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+From 80adde17ddc4b596ed1dae0922a0c54ab3d4b8ea Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Thu, 13 Oct 2022 08:27:41 +0200
+Subject: [PATCH] Fixed division by zero in urbdrc
+(cherry picked from commit 731f8419d04b481d7160de1f34062d630ed48765)
+---
+ channels/urbdrc/client/libusb/libusb_udevice.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+diff --git a/channels/urbdrc/client/libusb/libusb_udevice.c b/channels/urbdrc/client/libusb/libusb_udevice.c
+index 505c31d7b55..ef87f195f38 100644
+--- a/channels/urbdrc/client/libusb/libusb_udevice.c
+++ b/channels/urbdrc/client/libusb/libusb_udevice.c
+@@ -1221,12 +1221,18 @@ static int libusb_udev_isoch_transfer(IUDEVICE* idev, URBDRC_CHANNEL_CALLBACK* c
+        if (!Buffer)
+                Stream_Seek(user_data->data, (NumberOfPackets * 12));
+ 
+-       iso_packet_size = BufferSize / NumberOfPackets;
+-       iso_transfer = libusb_alloc_transfer(NumberOfPackets);
+       if (NumberOfPackets > 0)
+       {
+               iso_packet_size = BufferSize / NumberOfPackets;
+               iso_transfer = libusb_alloc_transfer((int)NumberOfPackets);
+       }
+ 
+        if (iso_transfer == NULL)
+        {
+-               WLog_Print(urbdrc->log, WLOG_ERROR, "Error: libusb_alloc_transfer.");
+               WLog_Print(urbdrc->log, WLOG_ERROR,
+                          "Error: libusb_alloc_transfer [NumberOfPackets=%" PRIu32 ", BufferSize=%" PRIu32
+                          " ]",
+                          NumberOfPackets, BufferSize);
+                async_transfer_user_data_free(user_data);
+                return -1;
+        }
diff --git a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb
index ece2f56960..9da8b27c0d 100644
--- a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb
+++ b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb
@@ -16,6 +16,8 @@ PKGV = "${GITPKGVTAG}"
 SRCREV = "658a72980f6e93241d927c46cfa664bf2547b8b1"
 SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https \
    file://winpr-makecert-Build-with-install-RPATH.patch \
+    file://CVE-2022-39316.patch \
+    file://CVE-2022-39318-39319.patch \
 "
 S = "${WORKDIR}/git"

diff --git a/meta-oe/recipes-support/freerdp/freerdp/CVE-2022-39316.patch b/meta-oe/recipes-support/freerdp/freerdp/CVE-2022-39316.patch new file mode 100644 index 0000000000..a60b2854c8 --- /dev/null +++ b/meta-oe/recipes-support/freerdp/freerdp/CVE-2022-39316.patch
@@ -0,0 +1,53 @@
		1	https://github.com/FreeRDP/FreeRDP/commit/e865c24efc40ebc52e75979c94cdd4ee2c1495b0
		2	CVE: CVE-2022-39316
		3	Upstream-Status: Backport
		4	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
		5
		6	From e865c24efc40ebc52e75979c94cdd4ee2c1495b0 Mon Sep 17 00:00:00 2001
		7	From: akallabeth <akallabeth@posteo.net>
		8	Date: Thu, 13 Oct 2022 09:09:28 +0200
		9	Subject: [PATCH] Added missing length checks in zgfx_decompress_segment
		10
		11	(cherry picked from commit 64716b335858109d14f27b51acc4c4d71a92a816)
		12	---
		13	libfreerdp/codec/zgfx.c \| 11 +++++++----
		14	1 file changed, 7 insertions(+), 4 deletions(-)
		15
		16	diff --git a/libfreerdp/codec/zgfx.c b/libfreerdp/codec/zgfx.c
		17	index 20fbd354571..e260aa6e28a 100644
		18	--- a/libfreerdp/codec/zgfx.c
		19	+++ b/libfreerdp/codec/zgfx.c
		20	@@ -230,19 +230,19 @@ static BOOL zgfx_decompress_segment(ZGFX_CONTEXT* zgfx, wStream* stream, size_t
		21	BYTE* pbSegment;
		22	size_t cbSegment;
		23
		24	- if (!zgfx \|\| !stream)
		25	+ if (!zgfx \|\| !stream \|\| (segmentSize < 2))
		26	return FALSE;
		27
		28	cbSegment = segmentSize - 1;
		29
		30	- if ((Stream_GetRemainingLength(stream) < segmentSize) \|\| (segmentSize < 1) \|\|
		31	- (segmentSize > UINT32_MAX))
		32	+ if ((Stream_GetRemainingLength(stream) < segmentSize) \|\| (segmentSize > UINT32_MAX))
		33	return FALSE;
		34
		35	Stream_Read_UINT8(stream, flags); /* header (1 byte) */
		36	zgfx->OutputCount = 0;
		37	pbSegment = Stream_Pointer(stream);
		38	- Stream_Seek(stream, cbSegment);
		39	+ if (!Stream_SafeSeek(stream, cbSegment))
		40	+ return FALSE;
		41
		42	if (!(flags & PACKET_COMPRESSED))
		43	{
		44	@@ -346,6 +346,9 @@ static BOOL zgfx_decompress_segment(ZGFX_CONTEXT* zgfx, wStream* stream, size_t
		45	if (count > sizeof(zgfx->OutputBuffer) - zgfx->OutputCount)
		46	return FALSE;
		47
		48	+ if (count > zgfx->cBitsRemaining / 8)
		49	+ return FALSE;
		50	+
		51	CopyMemory(&(zgfx->OutputBuffer[zgfx->OutputCount]), zgfx->pbInputCurrent,
		52	count);
		53	zgfx_history_buffer_ring_write(zgfx, zgfx->pbInputCurrent, count);


diff --git a/meta-oe/recipes-support/freerdp/freerdp/CVE-2022-39318-39319.patch b/meta-oe/recipes-support/freerdp/freerdp/CVE-2022-39318-39319.patch new file mode 100644 index 0000000000..76a9e00dd3 --- /dev/null +++ b/meta-oe/recipes-support/freerdp/freerdp/CVE-2022-39318-39319.patch
@@ -0,0 +1,41 @@
		1	https://github.com/FreeRDP/FreeRDP/commit/80adde17ddc4b596ed1dae0922a0c54ab3d4b8ea
		2	CVE: CVE-2022-39318 CVE-2022-39319
		3	Upstream-Status: Backport
		4	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
		5
		6	From 80adde17ddc4b596ed1dae0922a0c54ab3d4b8ea Mon Sep 17 00:00:00 2001
		7	From: akallabeth <akallabeth@posteo.net>
		8	Date: Thu, 13 Oct 2022 08:27:41 +0200
		9	Subject: [PATCH] Fixed division by zero in urbdrc
		10
		11	(cherry picked from commit 731f8419d04b481d7160de1f34062d630ed48765)
		12	---
		13	channels/urbdrc/client/libusb/libusb_udevice.c \| 12 +++++++++---
		14	1 file changed, 9 insertions(+), 3 deletions(-)
		15
		16	diff --git a/channels/urbdrc/client/libusb/libusb_udevice.c b/channels/urbdrc/client/libusb/libusb_udevice.c
		17	index 505c31d7b55..ef87f195f38 100644
		18	--- a/channels/urbdrc/client/libusb/libusb_udevice.c
		19	+++ b/channels/urbdrc/client/libusb/libusb_udevice.c
		20	@@ -1221,12 +1221,18 @@ static int libusb_udev_isoch_transfer(IUDEVICE* idev, URBDRC_CHANNEL_CALLBACK* c
		21	if (!Buffer)
		22	Stream_Seek(user_data->data, (NumberOfPackets * 12));
		23
		24	- iso_packet_size = BufferSize / NumberOfPackets;
		25	- iso_transfer = libusb_alloc_transfer(NumberOfPackets);
		26	+ if (NumberOfPackets > 0)
		27	+ {
		28	+ iso_packet_size = BufferSize / NumberOfPackets;
		29	+ iso_transfer = libusb_alloc_transfer((int)NumberOfPackets);
		30	+ }
		31
		32	if (iso_transfer == NULL)
		33	{
		34	- WLog_Print(urbdrc->log, WLOG_ERROR, "Error: libusb_alloc_transfer.");
		35	+ WLog_Print(urbdrc->log, WLOG_ERROR,
		36	+ "Error: libusb_alloc_transfer [NumberOfPackets=%" PRIu32 ", BufferSize=%" PRIu32
		37	+ " ]",
		38	+ NumberOfPackets, BufferSize);
		39	async_transfer_user_data_free(user_data);
		40	return -1;
		41	}


diff --git a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb index ece2f56960..9da8b27c0d 100644 --- a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb +++ b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb
@@ -16,6 +16,8 @@ PKGV = "${GITPKGVTAG}"
16	SRCREV = "658a72980f6e93241d927c46cfa664bf2547b8b1"	16	SRCREV = "658a72980f6e93241d927c46cfa664bf2547b8b1"
17	SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https \	17	SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https \
18	file://winpr-makecert-Build-with-install-RPATH.patch \	18	file://winpr-makecert-Build-with-install-RPATH.patch \
		19	file://CVE-2022-39316.patch \
		20	file://CVE-2022-39318-39319.patch \
19	"	21	"
20		22
21	S = "${WORKDIR}/git"	23	S = "${WORKDIR}/git"