Merge pull request #6285 from akallabeth/stable-backports2

Stable backports

CMakeLists.txt

@@ -81,7 +81,7 @@ if ($ENV{BUILD_NUMBER})
 endif()
 set(WITH_LIBRARY_VERSIONING "ON")
 
-set(RAW_VERSION_STRING "2.1.1")
+set(RAW_VERSION_STRING "2.1.2")
 if(EXISTS "${CMAKE_SOURCE_DIR}/.source_tag")
 	file(READ ${CMAKE_SOURCE_DIR}/.source_tag RAW_VERSION_STRING)
 elseif(USE_VERSION_FROM_GIT_TAG)

ChangeLog

@@ -1,3 +1,26 @@
+# 2020-06-22  Version 2.1.2
+
+Important notes:
+* CVE-2020-4033 Out of bound read in RLEDECOMPRESS
+* CVE-2020-4031 Use-After-Free in gdi_SelectObject
+* CVE-2020-4032 Integer casting vulnerability in `update_recv_secondary_order`
+* CVE-2020-4030 OOB read in `TrioParse`
+* CVE-2020-11099 OOB Read in license_read_new_or_upgrade_license_packet
+* CVE-2020-11098 Out-of-bound read in glyph_cache_put
+* CVE-2020-11097 OOB read in ntlm_av_pair_get
+* CVE-2020-11095 Global OOB read in update_recv_primary_order
+* CVE-2020-11096 Global OOB read in update_read_cache_bitmap_v3_order
+* Gateway RPC fixes for windows
+* Fixed resource fee race resulting in double free in USB redirection
+* Fixed wayland client crashes
+* Fixed X11 client mouse mapping issues (X11 mapping on/off)
+* Some proxy related improvements (capture module)
+* Code cleanup (use getlogin_r, ...)
+
+For a complete and detailed change log since the last release candidate run:
+git log 2.1.1..2.1.2
+
+
 # 2020-05-20  Version 2.1.1
 
 Important notes:

channels/drdynvc/client/drdynvc_main.c

@@ -580,10 +580,15 @@ static UINT dvcman_open_channel(drdynvcPlugin* drdynvc, IWTSVirtualChannelManage
 	{
 		pCallback = channel->channel_callback;
 
-		if ((pCallback->OnOpen) && (error = pCallback->OnOpen(pCallback)))
+		if (pCallback->OnOpen)
 		{
-			WLog_Print(drdynvc->log, WLOG_ERROR, "OnOpen failed with error %" PRIu32 "!", error);
-			return error;
+			error = pCallback->OnOpen(pCallback);
+			if (error)
+			{
+				WLog_Print(drdynvc->log, WLOG_ERROR, "OnOpen failed with error %" PRIu32 "!",
+				           error);
+				return error;
+			}
 		}
 
 		WLog_Print(drdynvc->log, WLOG_DEBUG, "open_channel: ChannelId %" PRIu32 "", ChannelId);
@@ -1583,13 +1588,15 @@ static UINT drdynvc_virtual_channel_event_terminated(drdynvcPlugin* drdynvc)
 	if (!drdynvc)
 		return CHANNEL_RC_BAD_CHANNEL_HANDLE;
 
+	MessageQueue_Free(drdynvc->queue);
+	drdynvc->queue = NULL;
+
 	if (drdynvc->channel_mgr)
 	{
 		dvcman_free(drdynvc, drdynvc->channel_mgr);
 		drdynvc->channel_mgr = NULL;
 	}
-	MessageQueue_Free(drdynvc->queue);
-	drdynvc->queue = NULL;
+
 	drdynvc->InitHandle = 0;
 	free(drdynvc->context);
 	free(drdynvc);

channels/encomsp/client/encomsp_main.c

@@ -1116,8 +1116,11 @@ static DWORD WINAPI encomsp_virtual_channel_client_thread(LPVOID arg)
 			if ((error = encomsp_process_receive(encomsp, data)))
 			{
 				WLog_ERR(TAG, "encomsp_process_receive failed with error %" PRIu32 "!", error);
+				Stream_Free(data, TRUE);
 				break;
 			}
+
+			Stream_Free(data, TRUE);
 		}
 	}
 

channels/geometry/client/geometry_main.c

@@ -27,7 +27,6 @@
 
 #include <winpr/crt.h>
 #include <winpr/synch.h>
-#include <winpr/interlocked.h>
 #include <winpr/print.h>
 #include <winpr/stream.h>
 #include <winpr/cmdline.h>
@@ -82,23 +81,6 @@ static BOOL mappedGeometryKeyCompare(UINT64* g1, UINT64* g2)
 	return *g1 == *g2;
 }
 
-void mappedGeometryRef(MAPPED_GEOMETRY* g)
-{
-	InterlockedIncrement(&g->refCounter);
-}
-
-void mappedGeometryUnref(MAPPED_GEOMETRY* g)
-{
-	if (InterlockedDecrement(&g->refCounter))
-		return;
-
-	g->MappedGeometryUpdate = NULL;
-	g->MappedGeometryClear = NULL;
-	g->custom = NULL;
-	free(g->geometry.rects);
-	free(g);
-}
-
 static void freerdp_rgndata_reset(FREERDP_RGNDATA* data)
 {
 	data->nRectCount = 0;

channels/printer/client/cups/printer_cups.c

@@ -69,10 +69,11 @@ struct rdp_cups_print_job
 static void printer_cups_get_printjob_name(char* buf, size_t size, size_t id)
 {
 	time_t tt;
+	struct tm tres;
 	struct tm* t;
 
 	tt = time(NULL);
-	t = localtime(&tt);
+	t = localtime_r(&tt, &tres);
 	sprintf_s(buf, size - 1, "FreeRDP Print %04d-%02d-%02d %02d-%02d-%02d - Job %" PRIdz,
 	          t->tm_year + 1900, t->tm_mon + 1, t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec, id);
 }

channels/printer/client/win/printer_win.c

@@ -78,13 +78,14 @@ struct rdp_win_print_job
 static WCHAR* printer_win_get_printjob_name(size_t id)
 {
 	time_t tt;
+	struct tm tres;
 	struct tm* t;
 	WCHAR* str;
 	size_t len = 1024;
 	int rc;
 
 	tt = time(NULL);
-	t = localtime(&tt);
+	t = localtime_s(&tt, &tres);
 
 	str = calloc(len, sizeof(WCHAR));
 	if (!str)

channels/rdpdr/client/rdpdr_main.c

@@ -598,7 +598,14 @@ static BOOL isAutomountLocation(const char* path)
 	size_t x;
 	char buffer[MAX_PATH];
 	uid_t uid = getuid();
-	const char* uname = getlogin();
+	char uname[MAX_PATH] = { 0 };
+
+#ifndef getlogin_r
+	strncpy(uname, getlogin(), sizeof(uname));
+#else
+	if (getlogin_r(uname, sizeof(uname)) != 0)
+		return FALSE;
+#endif
 
 	if (!path)
 		return FALSE;

channels/rdpei/client/rdpei_main.c

@@ -604,6 +604,7 @@ static UINT rdpei_plugin_terminated(IWTSPlugin* pPlugin)
 			IFCALL(mgr->DestroyListener, mgr, rdpei->listener);
 	}
 	free(rdpei->listener_callback);
+	free(rdpei->contactPoints);
 	free(rdpei->context);
 	free(rdpei);
 	return CHANNEL_RC_OK;

channels/rdpei/rdpei_common.c

@@ -306,7 +306,7 @@ BOOL rdpei_write_4byte_signed(wStream* s, INT32 value)
 		value *= -1;
 	}
 
-	if (value <= 0x1FUL)
+	if (value <= 0x1FL)
 	{
 		byte = value & 0x1F;
 
@@ -315,7 +315,7 @@ BOOL rdpei_write_4byte_signed(wStream* s, INT32 value)
 
 		Stream_Write_UINT8(s, byte);
 	}
-	else if (value <= 0x1FFFUL)
+	else if (value <= 0x1FFFL)
 	{
 		byte = (value >> 8) & 0x1F;
 
@@ -326,7 +326,7 @@ BOOL rdpei_write_4byte_signed(wStream* s, INT32 value)
 		byte = (value & 0xFF);
 		Stream_Write_UINT8(s, byte);
 	}
-	else if (value <= 0x1FFFFFUL)
+	else if (value <= 0x1FFFFFL)
 	{
 		byte = (value >> 16) & 0x1F;
 
@@ -339,7 +339,7 @@ BOOL rdpei_write_4byte_signed(wStream* s, INT32 value)
 		byte = (value & 0xFF);
 		Stream_Write_UINT8(s, byte);
 	}
-	else if (value <= 0x1FFFFFFFUL)
+	else if (value <= 0x1FFFFFFFL)
 	{
 		byte = (value >> 24) & 0x1F;
 

channels/remdesk/client/remdesk_main.c

@@ -843,8 +843,11 @@ static DWORD WINAPI remdesk_virtual_channel_client_thread(LPVOID arg)
 			if ((error = remdesk_process_receive(remdesk, data)))
 			{
 				WLog_ERR(TAG, "remdesk_process_receive failed with error %" PRIu32 "!", error);
+				Stream_Free(data, TRUE);
 				break;
 			}
+
+			Stream_Free(data, TRUE);
 		}
 	}
 

channels/smartcard/client/smartcard_operations.c

@@ -921,15 +921,38 @@ static LONG smartcard_LocateCardsA_Call(SMARTCARD_DEVICE* smartcard, SMARTCARD_O
 	ret.ReturnCode = SCardLocateCardsA(operation->hContext, call->mszCards, call->rgReaderStates,
 	                                   call->cReaders);
 	log_status_error(TAG, "SCardLocateCardsA", ret.ReturnCode);
+	ret.cReaders = call->cReaders;
+	ret.rgReaderStates = NULL;
+
 	free(call->mszCards);
+
+	if (ret.cReaders > 0)
+	{
+		ret.rgReaderStates = (ReaderState_Return*)calloc(ret.cReaders, sizeof(ReaderState_Return));
+
+		if (!ret.rgReaderStates)
+			return STATUS_NO_MEMORY;
+	}
+
+	for (x = 0; x < ret.cReaders; x++)
+	{
+		ret.rgReaderStates[x].dwCurrentState = call->rgReaderStates[x].dwCurrentState;
+		ret.rgReaderStates[x].dwEventState = call->rgReaderStates[x].dwEventState;
+		ret.rgReaderStates[x].cbAtr = call->rgReaderStates[x].cbAtr;
+		CopyMemory(&(ret.rgReaderStates[x].rgbAtr), &(call->rgReaderStates[x].rgbAtr),
+		           sizeof(ret.rgReaderStates[x].rgbAtr));
+	}
+
+	status = smartcard_pack_locate_cards_return(smartcard, irp->output, &ret);
+
 	for (x = 0; x < call->cReaders; x++)
 	{
 		SCARD_READERSTATEA* state = &call->rgReaderStates[x];
 		free(state->szReader);
 	}
+
 	free(call->rgReaderStates);
 
-	status = smartcard_pack_locate_cards_return(smartcard, irp->output, &ret);
 	if (status != SCARD_S_SUCCESS)
 		return status;
 
@@ -947,15 +970,38 @@ static LONG smartcard_LocateCardsW_Call(SMARTCARD_DEVICE* smartcard, SMARTCARD_O
 	ret.ReturnCode = SCardLocateCardsW(operation->hContext, call->mszCards, call->rgReaderStates,
 	                                   call->cReaders);
 	log_status_error(TAG, "SCardLocateCardsW", ret.ReturnCode);
+	ret.cReaders = call->cReaders;
+	ret.rgReaderStates = NULL;
+
 	free(call->mszCards);
+
+	if (ret.cReaders > 0)
+	{
+		ret.rgReaderStates = (ReaderState_Return*)calloc(ret.cReaders, sizeof(ReaderState_Return));
+
+		if (!ret.rgReaderStates)
+			return STATUS_NO_MEMORY;
+	}
+
+	for (x = 0; x < ret.cReaders; x++)
+	{
+		ret.rgReaderStates[x].dwCurrentState = call->rgReaderStates[x].dwCurrentState;
+		ret.rgReaderStates[x].dwEventState = call->rgReaderStates[x].dwEventState;
+		ret.rgReaderStates[x].cbAtr = call->rgReaderStates[x].cbAtr;
+		CopyMemory(&(ret.rgReaderStates[x].rgbAtr), &(call->rgReaderStates[x].rgbAtr),
+		           sizeof(ret.rgReaderStates[x].rgbAtr));
+	}
+
+	status = smartcard_pack_locate_cards_return(smartcard, irp->output, &ret);
+
 	for (x = 0; x < call->cReaders; x++)
 	{
 		SCARD_READERSTATEW* state = &call->rgReaderStates[x];
 		free(state->szReader);
 	}
+
 	free(call->rgReaderStates);
 
-	status = smartcard_pack_locate_cards_return(smartcard, irp->output, &ret);
 	if (status != SCARD_S_SUCCESS)
 		return status;
 

channels/smartcard/client/smartcard_pack.c

@@ -389,7 +389,7 @@ static char* smartcard_msz_dump_a(const char* msz, size_t len, char* buffer, siz
 
 static char* smartcard_msz_dump_w(const WCHAR* msz, size_t len, char* buffer, size_t bufferLen)
 {
-	char* sz;
+	char* sz = NULL;
 	ConvertFromUnicode(CP_UTF8, 0, msz, (int)len, &sz, 0, NULL, NULL);
 	return smartcard_msz_dump_a(sz, len, buffer, bufferLen);
 }
@@ -466,7 +466,7 @@ static void smartcard_trace_context_and_string_call_w(const char* name,
                                                       const REDIR_SCARDCONTEXT* phContext,
                                                       const WCHAR* sz)
 {
-	char* tmp;
+	char* tmp = NULL;
 	if (!WLog_IsLevelActive(WLog_Get(TAG), g_LogLevel))
 		return;
 
@@ -883,7 +883,7 @@ static void smartcard_trace_write_cache_a_call(SMARTCARD_DEVICE* smartcard,
 static void smartcard_trace_write_cache_w_call(SMARTCARD_DEVICE* smartcard,
                                                const WriteCacheW_Call* call)
 {
-	char* tmp;
+	char* tmp = NULL;
 	char buffer[1024];
 	WINPR_UNUSED(smartcard);
 	if (!WLog_IsLevelActive(WLog_Get(TAG), g_LogLevel))
@@ -931,7 +931,7 @@ static void smartcard_trace_read_cache_a_call(SMARTCARD_DEVICE* smartcard,
 static void smartcard_trace_read_cache_w_call(SMARTCARD_DEVICE* smartcard,
                                               const ReadCacheW_Call* call)
 {
-	char* tmp;
+	char* tmp = NULL;
 	char buffer[1024];
 	WINPR_UNUSED(smartcard);
 	if (!WLog_IsLevelActive(WLog_Get(TAG), g_LogLevel))

channels/urbdrc/client/data_transfer.c

@@ -767,8 +767,6 @@ static void urb_isoch_transfer_cb(IUDEVICE* pdev, URBDRC_CHANNEL_CALLBACK* callb
 			callback->channel->Write(callback->channel, Stream_GetPosition(out), Stream_Buffer(out),
 			                         NULL);
 	}
-
-	Stream_Free(out, TRUE);
 }
 
 static UINT urb_isoch_transfer(IUDEVICE* pdev, URBDRC_CHANNEL_CALLBACK* callback, wStream* s,