Skip to content

Commit 6ade7b4

Browse files
committed
Fixed OOB Read in license_read_new_or_upgrade_license_packet
CVE-2020-11099 thanks to @antonio-morales for finding this.
1 parent 152bf0c commit 6ade7b4

File tree

1 file changed

+9
-0
lines changed

1 file changed

+9
-0
lines changed

Diff for: libfreerdp/core/license.c

+9
Original file line numberDiff line numberDiff line change
@@ -1252,6 +1252,9 @@ BOOL license_read_new_or_upgrade_license_packet(rdpLicense* license, wStream* s)
12521252
if (!licenseStream)
12531253
goto out_free_blob;
12541254

1255+
if (Stream_GetRemainingLength(licenseStream) < 8)
1256+
goto out_free_stream;
1257+
12551258
Stream_Read_UINT16(licenseStream, os_minor);
12561259
Stream_Read_UINT16(licenseStream, os_major);
12571260

@@ -1266,6 +1269,8 @@ BOOL license_read_new_or_upgrade_license_packet(rdpLicense* license, wStream* s)
12661269
Stream_Seek(licenseStream, cbScope);
12671270

12681271
/* CompanyName */
1272+
if (Stream_GetRemainingLength(licenseStream) < 4)
1273+
goto out_free_stream;
12691274
Stream_Read_UINT32(licenseStream, cbCompanyName);
12701275
if (Stream_GetRemainingLength(licenseStream) < cbCompanyName)
12711276
goto out_free_stream;
@@ -1276,6 +1281,8 @@ BOOL license_read_new_or_upgrade_license_packet(rdpLicense* license, wStream* s)
12761281
Stream_Seek(licenseStream, cbCompanyName);
12771282

12781283
/* productId */
1284+
if (Stream_GetRemainingLength(licenseStream) < 4)
1285+
goto out_free_stream;
12791286
Stream_Read_UINT32(licenseStream, cbProductId);
12801287
if (Stream_GetRemainingLength(licenseStream) < cbProductId)
12811288
goto out_free_stream;
@@ -1286,6 +1293,8 @@ BOOL license_read_new_or_upgrade_license_packet(rdpLicense* license, wStream* s)
12861293
Stream_Seek(licenseStream, cbProductId);
12871294

12881295
/* licenseInfo */
1296+
if (Stream_GetRemainingLength(licenseStream) < 4)
1297+
goto out_free_stream;
12891298
Stream_Read_UINT32(licenseStream, cbLicenseInfo);
12901299
if (Stream_GetRemainingLength(licenseStream) < cbLicenseInfo)
12911300
goto out_free_stream;

0 commit comments

Comments
 (0)