Fix CVE-2020-11523: clamp invalid rectangles to size 0

Thanks to Sunglin and HuanGMz from Knownsec 404
FreeRDP · Apr 9, 2020 · ce21b9d · ce21b9d
1 parent 192856c
commit ce21b9d
Showing 1 changed file with 32 additions and 2 deletions.
diff --git a/libfreerdp/gdi/region.c b/libfreerdp/gdi/region.c
@@ -37,6 +37,17 @@
 
 #define TAG FREERDP_TAG("gdi.region")
 
+static char* gdi_rect_str(char* buffer, size_t size, const HGDI_RECT rect)
+{
+	_snprintf(buffer, size - 1,
+	          "[top/left=%" PRId32 "x%" PRId32 "-bottom/right%" PRId32 "x%" PRId32 "]", rect->top,
+	          rect->left, rect->bottom, rect->right);
+	if (size > 1)
+		buffer[size - 1] = '\0'
+
+		    return buffer;
+}
+
 /**
  * Create a region from rectangular coordinates.\n
  * @msdn{dd183514}
@@ -129,10 +140,29 @@ INLINE void gdi_CRectToRgn(INT32 left, INT32 top, INT32 right, INT32 bottom, HGD
 
 INLINE void gdi_RectToCRgn(const HGDI_RECT rect, INT32* x, INT32* y, INT32* w, INT32* h)
 {
+	INT64 tmp;
 	*x = rect->left;
 	*y = rect->top;
-	*w = rect->right - rect->left + 1;
-	*h = rect->bottom - rect->top + 1;
+	tmp = rect->right - rect->left + 1;
+	if ((tmp < 0) || (tmp > INT32_MAX))
+	{
+		char buffer[256];
+		WLog_ERR(TAG, "[%s] rectangle invalid %s", __FUNCTION__,
+		         gdi_rect_str(buffer, sizeof(buffer), rect));
+		*w = 0;
+	}
+	else
+		*w = tmp;
+	tmp = rect->bottom - rect->top + 1;
+	if ((tmp < 0) || (tmp > INT32_MAX))
+	{
+		char buffer[256];
+		WLog_ERR(TAG, "[%s] rectangle invalid %s", __FUNCTION__,
+		         gdi_rect_str(buffer, sizeof(buffer), rect));
+		*h = 0;
+	}
+	else
+		*h = tmp;
 }
 
 /**